- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: regex Adding an empty line after value found
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
regex Adding an empty line after value found
Hi,
Newbie in regex, would like help to add a line after transactionid=XXXXXX. My props looks like this:
[source::/nyx/nogscore/log/nogscore-*]
SHOULD_LINEMERGE=False
BREAK_ONLY_BEFORE_DATE=false
LINE_BREAKER_LOOKBEHIND=500
LINE_BREAKER=(transactionid=[0-9]+)
DATETIME_CONFIG=CURRENT
LOG:
NNNN :000.01| 06:37:15 [4067241XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
NNNN :000.00| 06:37:15 [40672414XXX] ws_api12.cpp:279 * CHECK : 10 NOGS:::#name=wager;accountid=2-4410XXX-USD,USD;activationid=;apiversion=1.0;betamount=0.06;campaignid=;clienttype=html5;currency=USD;gpgameid=doctorlove;gpid=100;jpc=;loginname=XXX;opid=XXX;password=XXX;request=wager;roundid=529233;sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 (Like a new line after this)
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
NNNN :000.00| 06:37:15 [4059315XXX] ws_api12.cpp:606 * CHECK : 10 NOGS:::#name=result;accountid=2-44101XXX-USD,USD;apiversion=1.0;clienttype=html5;currency=USD;gamestatus=completed;gpgameid=doctorlove;gpid=100;houseincome=;jpwonamount=;loginname=XXX;opid=XXX;password=XXXX;request=result;roundid=529233;sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268349;wonamount=0.00
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am going to assume you mean exactly what you said (which seems very strange to me). Do it like this in props.conf:
[source::/nyx/nogscore/log/nogscore-*]
SEDCMD-add_extra_newline_at_end_of_line_after_transactionid = s/(transactionid=.*$)/\1\n/g
Note: After making changes to props.conf and deploying to Indexers (or Heavy Forwarders), restart all Splunk Enterprise instances to enable the configuration changes. This applies ONLY TO EVENTS THAT ARE INDEXED POST-RESTART.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying that in your file that you would like to merge lines such that they are treated as a multi-line event all the way until the last line which should contain "transactionid=" and then at the next newline, break the event there and start a new event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like this :
essionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
Want to look like this :sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your example one after you've manually inserted a carriage return into it, is it the actual LOG line as it sits on disk before Splunk ingested it, or the _raw event, or...
Basically, do your events look like this (trimmed):
sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
or like this
sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
And do you want them to look like this
sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
or like this
sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
