Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to line break events

anasamer
New Member
‎06-11-2019 05:57 AM

Can anyone here help with breaking this sample into multiple events each should start with { "resourceId": ?
I have the below log sample:

{"records": [{ "resourceId": "/SUBSCRIPTIONS/9799XXX5-F9BF-XXXX-XXXX-6DDXXXXXF4D99/RESOURCEGROUPS/DEVELOPMENT/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/SPLUNKWAF", "operationName": "ApplicationGatewayFirewall", "time": "2019-06-11T11:09:39.2282087Z", "category": "ApplicationGatewayFirewallLog", "properties": {
  "instanceId": "ApplicationGatewayRole_IN_1",
  "clientIp": "10.0.1.5",
  "clientPort": "0",
  "requestUri": "/en-GB/splunkd/__raw/services/server/health/splunkd?output_mode=json&_=1560250716771",
  "ruleSetType": "OWASP",
  "ruleSetVersion": "3.0",
  "ruleId": "920350",
  "ruleGroup": "920-PROTOCOL-ENFORCEMENT",
  "message": "Host header is a numeric IP address",
  "action": "Matched",
  "site": "Global",
  "details": {
    "message": "Warning. Pattern match \"^[\\\\d.:]+$\" at REQUEST_HEADERS:Host.",
    "data": "10.10.10.10:8001",
    "file": "rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
    "line": "791"
  },
  "hostname": "10.10.10.10",
  "transactionId": "17726168135477758612"
}},{ "resourceId": "/SUBSCRIPTIONS/9799XXX5-F9BF-XXXX-XXXX-6DDXXXXXF4D99/RESOURCEGROUPS/DEVELOPMENT/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/SPLUNKWAF", "operationName": "ApplicationGatewayFirewall", "time": "2019-06-11T11:09:43.2069335Z", "category": "ApplicationGatewayFirewallLog", "properties": {
  "instanceId": "ApplicationGatewayRole_IN_1",
  "clientIp": "10.0.1.5",
  "clientPort": "0",
  "requestUri": "/en-GB/splunkd/__raw/services/messages?output_mode=json&sort_key=timeCreated_epochSecs&sort_dir=desc&count=1000&_=1560250720227",
  "ruleSetType": "OWASP",
  "ruleSetVersion": "3.0",
  "ruleId": "920350",
  "ruleGroup": "920-PROTOCOL-ENFORCEMENT",
  "message": "Host header is a numeric IP address",
  "action": "Matched",
  "site": "Global",
  "details": {
    "message": "Warning. Pattern match \"^[\\\\d.:]+$\" at REQUEST_HEADERS:Host.",
    "data": "10.10.10.10:8001",
    "file": "rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
    "line": "791"
  },
  "hostname": "10.10.10.10",
  "transactionId": "17726168135477758613"
}},{ "resourceId": "/SUBSCRIPTIONS/9799XXX5-F9BF-XXXX-XXXX-6DDXXXXXF4D99/RESOURCEGROUPS/DEVELOPMENT/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/SPLUNKWAF", "operationName": "ApplicationGatewayFirewall", "time": "2019-06-11T11:09:49.9545793Z", "category": "ApplicationGatewayFirewallLog", "properties": {
  "instanceId": "ApplicationGatewayRole_IN_1",
  "clientIp": "10.0.1.5",
  "clientPort": "0",
  "requestUri": "/en-GB/splunkd/__raw/services/messages?output_mode=json&sort_key=timeCreated_epochSecs&sort_dir=desc&count=1000&_=1560250716774",
  "ruleSetType": "OWASP",
  "ruleSetVersion": "3.0",
  "ruleId": "920350",
  "ruleGroup": "920-PROTOCOL-ENFORCEMENT",
  "message": "Host header is a numeric IP address",
  "action": "Matched",
  "site": "Global",
  "details": {
    "message": "Warning. Pattern match \"^[\\\\d.:]+$\" at REQUEST_HEADERS:Host.",
    "data": "10.10.10.10:8001",
    "file": "rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
    "line": "791"
  },
  "hostname": "10.10.10.10",
  "transactionId": "17726168135477758614"
}}]}
{"records": [{ "resourceId": "/SUBSCRIPTIONS/9799XXX5-F9BF-XXXX-XXXX-6DDXXXXXF4D99/RESOURCEGROUPS/DEVELOPMENT/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/SPLUNKWAF", "operationName": "ApplicationGatewayFirewall", "time": "2019-06-11T11:08:59.1006429Z", "category": "ApplicationGatewayFirewallLog", "properties": {
  "instanceId": "ApplicationGatewayRole_IN_0",
  "clientIp": "10.0.1.7",
  "clientPort": "0",
  "requestUri": "/en-GB/splunkd/__raw/services/server/health/splunkd?output_mode=json&_=1560250716762",
  "ruleSetType": "OWASP",
  "ruleSetVersion": "3.0",
  "ruleId": "920350",
  "ruleGroup": "920-PROTOCOL-ENFORCEMENT",
  "message": "Host header is a numeric IP address",
  "action": "Matched",
  "site": "Global",
  "details": {
    "message": "Warning. Pattern match \"^[\\\\d.:]+$\" at REQUEST_HEADERS:Host.",
    "data": "10.10.10.10:8001",
    "file": "rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
    "line": "791"
  },
  "hostname": "10.10.10.10",
  "transactionId": "17365880165288120552"
}}]}
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-11-2019 06:45 AM

Have you tried LINE_BREAKER = ()\{ "resourceId": ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

anasamer
New Member
‎06-11-2019 08:04 AM

nope it is not working

alt text

0 Karma
Reply

FrankVl
Ultra Champion
‎06-11-2019 08:18 AM

Your image is not publicly visible. Make sure to fix the typo (you need capital I instead of lowercase).

0 Karma
Reply

FrankVl
Ultra Champion
‎06-11-2019 08:02 AM

The i in resourceId must be a capital I 🙂

Of course to be combined with SHOULD_LINEMERGE = false.

And a bit more specific linebreak to try could be: LINE_BREAKER = ((?:\]\})?[\r\n\s]*\{"records":\s\[|,)\{\s"resourceId":
That also strips out the , in between events and the records [ bit.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-11-2019 10:10 AM

I fixed the 'I'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

anasamer
New Member
‎06-12-2019 03:44 AM

thanks @FrankVl this regex captured the records in the middle of the log but not capturing the first records

0 Karma
Reply

anasamer
New Member
‎06-12-2019 03:45 AM

regexr.com/4flnp

0 Karma
Reply

FrankVl
Ultra Champion
‎06-12-2019 05:00 AM

That is not the same regex I shared 😉

You added a closing } in between the character class that is matching linebreaks and the * behind it. And then indeed it doesn't work properly. Your fix is also incorrect, as it should be a * to add, not a ?, since there could be a combination of multiple linebreak and whitespace characters.

But you simply shouldn't add that } there in the first place, as it will result in stripping that off from the end of the previous event and that will break your json syntax.

I think it should work if you use the exact regex I shared, but do let me know if it doesn't: https://regexr.com/4flu5

0 Karma
Reply

anasamer
New Member
‎06-12-2019 03:47 AM

I fixed it by adding ? so it will be like

((?:\]\})*[\r\n\s]?}*\{"records":\s\[|,)\{\s*"resourceId":

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...