Please help Im new to regex and Im having trouble getting splunk to recognise the end of an event. Below is an example of how splunk is seeing the log files. The domain reference is part of the event before and i need the event to break at the DTG, not at the domain=blah before it.
domain=my.domain.it.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=your.domain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=my.funkydomain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=his.funkydomain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
You can use the props.conf LINE_BREAKER
attribute. It would look something like:
LINE_BREAKER=( )\[
This implies that the pattern is unique.
The thing to keep in mind is that Splunk has a data preview section that you can play around with. Manager » Data inputs » Files & directories » Data preview
Hi smudge797, if you are happy with the answer and it works for you, please accept the answer (both for the community and karma hoarding).
Great thanks gregbujak, I know about the previewer but had no clue about that specific regex. Thanks!