Re: props.conf forcing a line break after a variab...

smudge797 · ‎07-18-2013

Please help Im new to regex and Im having trouble getting splunk to recognise the end of an event. Below is an example of how splunk is seeing the log files. The domain reference is part of the event before and i need the event to break at the DTG, not at the domain=blah before it.

domain=my.domain.it.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=your.domain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=my.funkydomain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=his.funkydomain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX

gregbujak · ‎07-18-2013

You can use the props.conf LINE_BREAKER attribute. It would look something like:

LINE_BREAKER=( )\[

This implies that the pattern is unique.

The thing to keep in mind is that Splunk has a data preview section that you can play around with. Manager » Data inputs » Files & directories » Data preview

gregbujak · ‎07-23-2013

Hi smudge797, if you are happy with the answer and it works for you, please accept the answer (both for the community and karma hoarding).

smudge797 · ‎07-23-2013

Great thanks gregbujak, I know about the previewer but had no clue about that specific regex. Thanks!

props.conf forcing a line break after a variable word

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update