Splunk Search

regex help for props.conf BREAK_ONLY_BEFORE option

conner9
Path Finder

So we have a script that runs tests to monitor if a system has changed and the output examples below are the lines I need to break before. This will allow us to easily display the results of the tests. None of the lines of data that include the results have the # preceding them, but they may have a # in the line somewhere.
I am hoping someone might suggest a regex that will allow me to break the event appropriately.

BREAK_ONLY_BEFORE=Regex

Jan 17 15:07:58 hostname.test.com filename.pl # check USB access

Jan 17 15:07:58 hostname.test.com filename.pl # check File name access access
Jan 17 15:07:58 hostname.test.com filename.pl ##### filename.pl #####

Jan 17 15:07:58 hostname.test.com filename.pl ##### filename1.pl #####

Thanks for any thoughts.

0 Karma
1 Solution

michael_reeves
Engager

You may want to try the BREAK_ONLY_BEFORE_DATE boolian config option outlined in the Splunk Doc found at http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Indexmulti-lineevents

View solution in original post

0 Karma

michael_reeves
Engager

You may want to try the BREAK_ONLY_BEFORE_DATE boolian config option outlined in the Splunk Doc found at http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Indexmulti-lineevents

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!