Splunk Search

regex Adding an empty line after value found

Giggs
New Member

Hi,

Newbie in regex, would like help to add a line after transactionid=XXXXXX. My props looks like this:

[source::/nyx/nogscore/log/nogscore-*]
SHOULD_LINEMERGE=False
BREAK_ONLY_BEFORE_DATE=false
LINE_BREAKER_LOOKBEHIND=500
LINE_BREAKER=(transactionid=[0-9]+)
DATETIME_CONFIG=CURRENT

LOG:
NNNN :000.01| 06:37:15 [4067241XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
NNNN :000.00| 06:37:15 [40672414XXX] ws_api12.cpp:279 * CHECK : 10 NOGS:::#name=wager;accountid=2-4410XXX-USD,USD;activationid=;apiversion=1.0;betamount=0.06;campaignid=;clienttype=html5;currency=USD;gpgameid=doctorlove;gpid=100;jpc=;loginname=XXX;opid=XXX;password=XXX;request=wager;roundid=529233;sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 (Like a new line after this)
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
NNNN :000.00| 06:37:15 [4059315XXX] ws_api12.cpp:606 * CHECK : 10 NOGS:::#name=result;accountid=2-44101XXX-USD,USD;apiversion=1.0;clienttype=html5;currency=USD;gamestatus=completed;gpgameid=doctorlove;gpid=100;houseincome=;jpwonamount=;loginname=XXX;opid=XXX;password=XXXX;request=result;roundid=529233;sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268349;wonamount=0.00

Tags (2)
0 Karma

woodcock
Esteemed Legend

I am going to assume you mean exactly what you said (which seems very strange to me). Do it like this in props.conf:

[source::/nyx/nogscore/log/nogscore-*]
SEDCMD-add_extra_newline_at_end_of_line_after_transactionid = s/(transactionid=.*$)/\1\n/g

Note: After making changes to props.conf and deploying to Indexers (or Heavy Forwarders), restart all Splunk Enterprise instances to enable the configuration changes. This applies ONLY TO EVENTS THAT ARE INDEXED POST-RESTART.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles

0 Karma

woodcock
Esteemed Legend

Are you saying that in your file that you would like to merge lines such that they are treated as a multi-line event all the way until the last line which should contain "transactionid=" and then at the next newline, break the event there and start a new event?

0 Karma

Giggs
New Member

Looks like this :

essionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2

Want to look like this :sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348

NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2

0 Karma

Richfez
SplunkTrust
SplunkTrust

Is your example one after you've manually inserted a carriage return into it, is it the actual LOG line as it sits on disk before Splunk ingested it, or the _raw event, or...

Basically, do your events look like this (trimmed):

sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2

or like this

sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2

And do you want them to look like this

sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2

or like this

sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 

NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
0 Karma
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...