Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- I need Help with properly breaking up events
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need Help with properly breaking up events
Jarohnimo
Builder
04-08-2020
06:19 AM
Hello,
I'm having an issue where clam av logs aren't breaking the events correctly. I'm confident the line_breaking regex is fine. Time: \d+\.\d+ sec \(\d+ m \d+ s\)()
The issue i'm having is sometimes the events show up in splunk where:
"------------------------------------------" <-- This hashed line is an event. it shouldn't be it's own event. It should be included at the start of every event not it's own event. So the end of the event seems to be satisfied with the line_breaker on the time field but how do i force splunk to understand the hashed line is the start of every event.. as of now it works sometimes where the hashed line is included in the event, and sometimes it does not (hashed line is it's own event)
Anyway to enforce this, perhaps with some sort of index time field parsing stanza i'm missing? you can see from the blob i'm pasting below examples of the logs (3 separate events)
-------------------------------------------------------------------------------
WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200021_ow7PXV: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200026_aPhSxB: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1532.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1695.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1517.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1727.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1526.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1770.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1513.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1686.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1636.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1698.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1785.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1617.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1742.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1519.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1708.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1531.log: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200003_aWcbM9: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200007_cPewso: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200001_02GigF: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200037_PR0YIo: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied
WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied
WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied
WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200028_4tocVD: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied
WARNING: Can't open file /opt/splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm: Permission denied
----------- SCAN SUMMARY -----------
Known viruses: 5995098
Engine version: 0.99.2
Scanned directories: 6366
Scanned files: 41938
Infected files: 0
Total errors: 83
Data scanned: 3329.70 MB
Data read: 4610.58 MB (ratio 0.72:1)
Time: 4296.029 sec (71 m 36 s)
-------------------------------------------------------------------------------
WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200001_n3Udh3: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200046_tG4INP: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200071_HSWmZ6: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1532.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1695.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1517.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1594.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1595.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1580.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1526.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1513.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1686.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1589.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1636.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1698.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1617.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1604.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1584.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1519.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1708.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1531.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1608.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1610.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1598.log: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200028_dJudKj: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200012_QHbp0P: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200003_3gLmvy: Permission denied
WARNING: Can't open file /tmp/tmp.z1NhS7Cf1p: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200016_ZuL9m4: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200048_CG4mxR: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200037_FH62Pc: Permission denied
WARNING: Can't open file /tmp/tmp.a9xsZutIWq: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied
WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied
WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied
WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200051_5IDsNl: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200049_70bzRj: Permission denied
WARNING: Can't open file /tmp/tmp.E4AJCzpOIr: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200007_R3pBFi: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied
WARNING: Can't open file /tmp/tmp.nEx5K1P19V: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied
WARNING: Can't open file /tmp/tmp.3xu23Z8tDj: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied
WARNING: Can't open file /opt/splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm: Permission denied
----------- SCAN SUMMARY -----------
Known viruses: 6319346
Engine version: 0.99.2
Scanned directories: 7233
Scanned files: 45947
Infected files: 0
Total errors: 100
Data scanned: 3594.28 MB
Data read: 4821.47 MB (ratio 0.75:1)
Time: 485.906 sec (8 m 5 s)
-------------------------------------------------------------------------------
WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200048_SKap8h: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200071_e3US5K: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200021_IfCsp4: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200046_tG4INP: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1587.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1594.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1595.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1580.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1566.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1578.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1611.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1589.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1583.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1596.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1604.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1584.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1582.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1620.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1577.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1608.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1610.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1598.log: Permission denied
WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1591.log: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied
WARNING: Can't open file /tmp/tmp.0qPyyvkhIw: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200028_dJudKj: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200012_QHbp0P: Permission denied
WARNING: Can't open file /tmp/tmp.z1NhS7Cf1p: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200065_NZfYE4: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200037_FH62Pc: Permission denied
WARNING: Can't open file /tmp/tmp.a9xsZutIWq: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200003_Ysuwzs: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200001_VezxBM: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied
WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied
WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200049_zrBoRF: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200051_5uiGLr: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied
WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200047_iM0nZM: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied
WARNING: Can't open file /tmp/tmp.E4AJCzpOIr: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200007_R3pBFi: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200016_7hh0tc: Permission denied
WARNING: Can't open file /tmp/tmp.nEx5K1P19V: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200062_Y3tkcC: Permission denied
WARNING: Can't open file /tmp/tmp.3xu23Z8tDj: Permission denied
WARNING: Can't open file /tmp/tmp.KgPSpEWZwR: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied
WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied
WARNING: Can't open file /tmp/krb5cc_1846200067_xWpi42: Permission denied
----------- SCAN SUMMARY -----------
Known viruses: 6319470
Engine version: 0.99.4
Scanned directories: 8003
Scanned files: 47590
Infected files: 0
Total errors: 105
Data scanned: 4118.82 MB
Data read: 5005.36 MB (ratio 0.82:1)
Time: 556.020 sec (9 m 16 s)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
04-08-2020
02:56 PM
props.conf
[clamav]
SHOULD_LINEMERGE = false
LINE_BREAKER = (?m)(-{79}\s+)^
TRUNCATE = 0
DATETIME_CONFIG = CURRENT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
atownson
Explorer
04-08-2020
07:55 AM
My suggestion is below. This should break your events based on the dashes (assuming there are no spaces before the dashes and there are always 79 dashes). I don't see a valid timestamp in the events so timestamp recognition is effectively disabled.
props.conf
[yourSourceType]
LINE_BREAKER = ([\r\n]+)-{79}
BREAK_ONLY_BEFORE_DATE = false
TRUNCATE = 0
DATETIME_CONFIG = NONE
MAX_TIMESTAMP_LOOKAHEAD = 0
Maybe that'll help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jarohnimo
Builder
04-08-2020
01:58 PM
I need something that tells the event break that the start of each event is the hashed line as that's what's not working currently. The line breaking on the tail end seems to work fine. it just the top portion of each event (hashed line) appears.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
atownson
Explorer
04-09-2020
05:04 AM
The LINE_BREAKER value above should work. It should break the events based on a line return and the 79 dashes, but still retain the dashes because they're not in the capture group.
Get Updates on the Splunk Community!
Video | Welcome Back to Smartness, Pedro
Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...
Detector Best Practices: Static Thresholds
Introduction
In observability monitoring, static thresholds are used to monitor fixed, known values within ...
Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
