Thanks @micahkemp. I am still having issues. I've tried some different values for LINE_BREAKER and it does work sometimes but not all. I also see some "DateParserVerbose - Failed to parse timestamp" errors on this sourcetype which I suspect are due to the LINE_BREAKER issues.
Here are my props via btool:
[weblogic:audit]
ANNOTATE_PUNCT = True
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG = /etc/datetime.xml
EXTRACT-WLS_INSTANCE_NAME = \/\w+\/\w+\/\w+\/(?<wls_instance>\w+)\/\w+\/\w+\/\w+\/\w+ in source
HEADER_MODE =
KV_MODE = auto
LEARN_MODEL = true
LEARN_SOURCETYPE = true
LINE_BREAKER = (Audit Record End ####)
LINE_BREAKER_LOOKBEHIND = 100
LOOKUP-dropdowns = dropdownsLookup host OUTPUT unix_category unix_group
MATCH_LIMIT = 100000
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 2000
MAX_TIMESTAMP_LOOKAHEAD = 48
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = false
TIME_FORMAT = %b %e, %Y %I:%M:%S %p
TIME_PREFIX = #### Audit Record Begin <
TRANSFORMS =
TRUNCATE = 999999
detect_trailing_nulls = false
maxDist = 100
priority =
sourcetype =
When I run this search, i have 99% of punct values begining with ####, as expected, but a small random amount that are resulting from faulty line_breaking. (see pic please)
index=xxx sourcetype=weblogic:audit | stats count by punct
punct count
####____<_,__::_>__<_=>__<<<__=_____><:_t_=__...(" 5300
####____<_,__::_>__<_=>__<<<__=_____><:_><><<>><=< 1081
####____<_,__::_>__<_=>__<<<__=____><_=_:_t_=__... 6
####_ 3
___<_,__::_>__<_=>__<<<__=_____><:_t_=__...("")t_= 3
")t_=__...("")><><<>><=<>,_=>>>_ 2
####____<_,__::_>__<_=>__<<<__=_____><:_t 2
####____<_,__::_>__<_=>__<<<__=_____><:_t_=__. 2
####____<_,__::_>__<_=>__<<<__=_____><:_t_=__.. 2
.("")t_=__...("")><><<>><=<>,_=>>>_ 2
..("")t_=__...("")><><<>><=<>,_=>>>_ 2
=>>>_ 2
>>>_ 2
_=__...("")><><<>><=<>,_=>>>_ 2
_=__...("")t_=__...("")><><<>><=<>,_=>>>_ 2
")><><<>><=<>,_=>>>_ 1
... View more