Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to set up an appropriate line breaker for data...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set up an appropriate line breaker for data from log file?
slipinski
Path Finder
02-17-2023
04:53 AM
Hi Splunkers,
I'm struggling with setting up an appropriate line breaker for data from log file. The example is below. I tried to use Event-breaking policy set to "every line", but it doesn't work fine as the last line consists of 3 events. I would like to break lines based on [abcdef.abcs][info][gc], but I'm not entirely sure whether it's possible.
Could you please take a look?
[883722.688s][info][gc] GC(40135) Pause Init Mark (process weakrefs) 1653.109ms
[883734.774s][info][gc] GC(40135) Concurrent marking (process weakrefs) 12086.056ms
[883736.181s][info][gc] GC(40135) Concurrent precleaning 1406.445ms
[883738.907s][info][gc] GC(40135) Pause Final Mark (process weakrefs) 2724.588ms [883738.908s][info][gc] GC(40135) Concurrent cleanup 72424M->72273M(153600M) 0.229ms [883739.217s][info][gc] GC(40135) Concurrent evacuation 308.624ms [883739.217s][info][gc] GC(40135) Pause Init Update Refs 0.137ms
[883742.192s][info][gc] GC(40135) Concurrent update references 2975.050ms [883742.195s][info][gc] GC(40135) Pause Final Update Refs 1.175ms [883742.196s][info][gc] GC(40135) Concurrent cleanup 80318M->62137M(153600M) 0.204ms [883742.197s][info][gc] Trigger: Allocated since last cycle (15943M) is larger than allocation threshold (15360M) [883742.224s][info][gc] GC(40136) Concurrent reset 26.618ms [883743.575s][info][gc] GC(40136) Pause Init Mark 1349.467ms
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
slipinski
Path Finder
02-17-2023
05:26 AM
I've already given it a go (not in props.conf, but in the sourcetype edit tab in GUI - I'm using cloud premise). It doesn't break lines correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
batabay
Path Finder
02-17-2023
06:22 AM
Also , you can try this.
LINE_BREAKER = ()[\[\w\.\]]+- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
batabay
Path Finder
02-17-2023
05:13 AM
Can you try in props.conf this config:
LINE_BREAKER = ([\r\n]+)[\[\w\.\]]+
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
