Re: props.conf forcing a line break after a variab...

smudge797 · ‎07-18-2013

Please help Im new to regex and Im having trouble getting splunk to recognise the end of an event. Below is an example of how splunk is seeing the log files. The domain reference is part of the event before and i need the event to break at the DTG, not at the domain=blah before it.

domain=my.domain.it.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=your.domain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=my.funkydomain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=his.funkydomain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX

gregbujak · ‎07-18-2013

You can use the props.conf LINE_BREAKER attribute. It would look something like:

LINE_BREAKER=( )\[

This implies that the pattern is unique.

The thing to keep in mind is that Splunk has a data preview section that you can play around with. Manager » Data inputs » Files & directories » Data preview

gregbujak · ‎07-23-2013

Hi smudge797, if you are happy with the answer and it works for you, please accept the answer (both for the community and karma hoarding).

smudge797 · ‎07-23-2013

Great thanks gregbujak, I know about the previewer but had no clue about that specific regex. Thanks!

props.conf forcing a line break after a variable word

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life