Solved: regex help for props.conf BREAK_ONLY_BEFORE option

conner9 · ‎01-17-2014

So we have a script that runs tests to monitor if a system has changed and the output examples below are the lines I need to break before. This will allow us to easily display the results of the tests. None of the lines of data that include the results have the # preceding them, but they may have a # in the line somewhere.
I am hoping someone might suggest a regex that will allow me to break the event appropriately.

BREAK_ONLY_BEFORE=Regex

Jan 17 15:07:58 hostname.test.com filename.pl # check USB access

Jan 17 15:07:58 hostname.test.com filename.pl # check File name access access
Jan 17 15:07:58 hostname.test.com filename.pl ##### filename.pl #####

Jan 17 15:07:58 hostname.test.com filename.pl ##### filename1.pl #####

Thanks for any thoughts.

michael_reeves · ‎05-08-2014

You may want to try the BREAK_ONLY_BEFORE_DATE boolian config option outlined in the Splunk Doc found at http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Indexmulti-lineevents

View solution in original post

michael_reeves · ‎05-08-2014

You may want to try the BREAK_ONLY_BEFORE_DATE boolian config option outlined in the Splunk Doc found at http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Indexmulti-lineevents

regex help for props.conf BREAK_ONLY_BEFORE option

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

regex help for props.conf BREAK_ONLY_BEFORE option

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience