Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

regex Adding an empty line after value found

Giggs
New Member
‎11-19-2015 11:06 PM

Hi,

Newbie in regex, would like help to add a line after transactionid=XXXXXX. My props looks like this:

[source::/nyx/nogscore/log/nogscore-*]
SHOULD_LINEMERGE=False
BREAK_ONLY_BEFORE_DATE=false
LINE_BREAKER_LOOKBEHIND=500
LINE_BREAKER=(transactionid=[0-9]+)
DATETIME_CONFIG=CURRENT

LOG:
NNNN :000.01| 06:37:15 [4067241XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
NNNN :000.00| 06:37:15 [40672414XXX] ws_api12.cpp:279 * CHECK : 10 NOGS:::#name=wager;accountid=2-4410XXX-USD,USD;activationid=;apiversion=1.0;betamount=0.06;campaignid=;clienttype=html5;currency=USD;gpgameid=doctorlove;gpid=100;jpc=;loginname=XXX;opid=XXX;password=XXX;request=wager;roundid=529233;sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 (Like a new line after this)
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
NNNN :000.00| 06:37:15 [4059315XXX] ws_api12.cpp:606 * CHECK : 10 NOGS:::#name=result;accountid=2-44101XXX-USD,USD;apiversion=1.0;clienttype=html5;currency=USD;gamestatus=completed;gpgameid=doctorlove;gpid=100;houseincome=;jpwonamount=;loginname=XXX;opid=XXX;password=XXXX;request=result;roundid=529233;sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268349;wonamount=0.00

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-21-2015 01:04 PM

I am going to assume you mean exactly what you said (which seems very strange to me). Do it like this in props.conf:

[source::/nyx/nogscore/log/nogscore-*]
SEDCMD-add_extra_newline_at_end_of_line_after_transactionid = s/(transactionid=.*$)/\1\n/g

Note: After making changes to props.conf and deploying to Indexers (or Heavy Forwarders), restart all Splunk Enterprise instances to enable the configuration changes. This applies ONLY TO EVENTS THAT ARE INDEXED POST-RESTART.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles

0 Karma
Reply

woodcock
Esteemed Legend
‎11-21-2015 11:37 AM

Are you saying that in your file that you would like to merge lines such that they are treated as a multi-line event all the way until the last line which should contain "transactionid=" and then at the next newline, break the event there and start a new event?

0 Karma
Reply

Giggs
New Member
‎11-20-2015 06:06 AM

Looks like this :

essionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2

Want to look like this :sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348

NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-20-2015 05:54 AM

Is your example one after you've manually inserted a carriage return into it, is it the actual LOG line as it sits on disk before Splunk ingested it, or the _raw event, or...

Basically, do your events look like this (trimmed):

sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2

or like this

sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2

And do you want them to look like this

sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2

or like this

sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 

NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...