Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to set up an appropriate line breaker for data...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set up an appropriate line breaker for data from log file?
slipinski
Path Finder
02-17-2023
04:53 AM
Hi Splunkers,
I'm struggling with setting up an appropriate line breaker for data from log file. The example is below. I tried to use Event-breaking policy set to "every line", but it doesn't work fine as the last line consists of 3 events. I would like to break lines based on [abcdef.abcs][info][gc], but I'm not entirely sure whether it's possible.
Could you please take a look?
[883722.688s][info][gc] GC(40135) Pause Init Mark (process weakrefs) 1653.109ms
[883734.774s][info][gc] GC(40135) Concurrent marking (process weakrefs) 12086.056ms
[883736.181s][info][gc] GC(40135) Concurrent precleaning 1406.445ms
[883738.907s][info][gc] GC(40135) Pause Final Mark (process weakrefs) 2724.588ms [883738.908s][info][gc] GC(40135) Concurrent cleanup 72424M->72273M(153600M) 0.229ms [883739.217s][info][gc] GC(40135) Concurrent evacuation 308.624ms [883739.217s][info][gc] GC(40135) Pause Init Update Refs 0.137ms
[883742.192s][info][gc] GC(40135) Concurrent update references 2975.050ms [883742.195s][info][gc] GC(40135) Pause Final Update Refs 1.175ms [883742.196s][info][gc] GC(40135) Concurrent cleanup 80318M->62137M(153600M) 0.204ms [883742.197s][info][gc] Trigger: Allocated since last cycle (15943M) is larger than allocation threshold (15360M) [883742.224s][info][gc] GC(40136) Concurrent reset 26.618ms [883743.575s][info][gc] GC(40136) Pause Init Mark 1349.467ms
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
slipinski
Path Finder
02-17-2023
05:26 AM
I've already given it a go (not in props.conf, but in the sourcetype edit tab in GUI - I'm using cloud premise). It doesn't break lines correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
batabay
Path Finder
02-17-2023
06:22 AM
Also , you can try this.
LINE_BREAKER = ()[\[\w\.\]]+- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
batabay
Path Finder
02-17-2023
05:13 AM
Can you try in props.conf this config:
LINE_BREAKER = ([\r\n]+)[\[\w\.\]]+
Get Updates on the Splunk Community!
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...
Automatic Discovery Part 3: Practical Use Cases
If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...
