Refine your search:

Hi,

I'm stumped. I've been playing with the linebreaking trying to get the format properly, and it won't work. The format is below. I want each "Trap:" to begin a new event, down to the next "Trap:" Any suggestions?

Trap: 23708419 Wed Feb 8 02:01:11 2012 Src IP: 10.216.0.26 Agent IP: 10.216.0.26 Trap Type: Vendor Specific Specific Type: 1 Enterprise: 1.3.6.1.4.1.9.9.41.2 Object:1.3.6.1.4.1.9.9.41.1.2.3.1.2.61290766 Value:PIM Object:1.3.6.1.4.1.9.9.41.1.2.3.1.3.61290766 Value:5 Object:1.3.6.1.4.1.9.9.41.1.2.3.1.4.61290766 Value:INVALID_SRC_REG Object:1.3.6.1.4.1.9.9.41.1.2.3.1.5.61290766 Value:Received Register from XX.XX.XX.XX for (XX.XX.XX.XX, XX.XX.XX.XXX), not willing to be RP Object:1.3.6.1.4.1.9.9.41.1.2.3.1.6.61290766 Value:467d 06:45:53

Trap: 23708420 Wed Feb 8 02:01:11 2012 Src IP: 1.2.3.4 Agent IP: 1.2.3.4 Trap Type: Authentication Failure Specific Type: 0 Enterprise: 1.3.6.1.6.3.1.1.5 Object:1.3.6.1.4.1.9.2.1.5.0 Value:1.2.3.4 Object:1.3.6.1.4.1.9.9.412.1.1.1.0 Value:1 Object:1.3.6.1.4.1.9.9.412.1.1.2.0 Value:1.2.3.4

Trap: 23708421 Wed Feb 8 02:01:11 2012 Src IP: 1.2.3.4 Agent IP: 1.2.3.4 Trap Type: Authentication Failure Specific Type: 0 Enterprise: 1.3.6.1.6.3.1.1.5 Object:1.3.6.1.4.1.9.2.1.5.0 Value:1.2.3.4 Object:1.3.6.1.4.1.9.9.412.1.1.1.0 Value:1 Object:1.3.6.1.4.1.9.9.412.1.1.2.0 Value:1.2.3.4

asked 08 Feb '12, 17:22

a212830's gravatar image

a212830
1.3k4424
accept rate: 21%


8 Answers:

You will need to configure props.conf like as bellow.

[your_sourcetype] SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE = Trap:

You can also refer to following manual.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Indexmulti-lineevents

link

answered 08 Feb '12, 17:31

Takajian's gravatar image

Takajian
8457617
accept rate: 19%

tHANKS! I appreciate it.

(22 May '12, 14:28) a212830

can you vote for me?

(22 May '12, 16:23) Takajian

Are you using forwarder? Do you know where you should put props.conf in your deployment?

If you are using light weight forwarder or universal forwarder, you need to put the props.conf on index server. If you are using other forwarder type(HF or regular forwarder), you will need to put the props.conf on forwarder, not index server. Please confirm if you put props.conf on appropriate location. You will also need to restart splunk to reflect the configuration.

link

answered 08 Feb '12, 20:17

Takajian's gravatar image

Takajian
8457617
accept rate: 19%

Thanks. That almost works. It's putting the "Trap:" from the next event at the bottom of the previous event. The "Trap:" is the start of the event, and I want to include it. Any way to do that?

link

answered 08 Feb '12, 17:35

a212830's gravatar image

a212830
1.3k4424
accept rate: 21%

"Trap:" is the start of the event. If you break before "Trap:", you will see "Trap:" is first line of the indexed event. Please let me know if I have misunderstanding.

(08 Feb '12, 17:40) Takajian

No, you understand it, but that's not what's happening. See below from a search...

Wed Feb 8 20:53:27 2012 Src IP: 1..2.3.4 Agent IP: 1.2.3.4 Trap Type: Vendor Specific Specific Type: 0 Enterprise: 1.3.6.1.4.1.2620.1.5.6 Object:1.3.6.1.4.1.2620.1.5.6.0 Value:standby Object:1.1.1.0 Value:Cluster State Trap: 24678117 <---- this should be the start of the next trap.

link

answered 08 Feb '12, 17:55

a212830's gravatar image

a212830
1.3k4424
accept rate: 21%

edited 08 Feb '12, 17:56

Did you restart splunk and reflect configuration of props.conf and clean indexed data? The configuration will reflect for new index data, not past indexed data.

(08 Feb '12, 18:05) Takajian

Yeah, restarted the forwarder, and the results are below.

Wed Feb 8 23:10:18 2012 Src IP: 1.2.3.4 Agent IP: 1.2.3.4 Trap Type: Authentication Failure Specific Type: 0 Enterprise: 1.3.6.1.6.3.1.1.5 Object:1.3.6.1.4.1.9.2.1.5.0 Value:1.2.3.4 Trap: 24780942

link

answered 08 Feb '12, 20:12

a212830's gravatar image

a212830
1.3k4424
accept rate: 21%

I'm using the universal forwarder. So, the props.conf needs to go on the index server?

link

answered 08 Feb '12, 20:18

a212830's gravatar image

a212830
1.3k4424
accept rate: 21%

Yes, you need to put the props.conf on the index server.

(08 Feb '12, 20:22) Takajian

OK. I'll try that. Thanks!

link

answered 08 Feb '12, 20:22

a212830's gravatar image

a212830
1.3k4424
accept rate: 21%

That did it! Thanks!

link

answered 08 Feb '12, 20:34

a212830's gravatar image

a212830
1.3k4424
accept rate: 21%

You need to vote for me, not your self.....

(08 Feb '12, 20:36) Takajian
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×19

Asked: 08 Feb '12, 17:22

Seen: 2,503 times

Last updated: 22 May '12, 16:23

Copyright © 2005-2014 Splunk Inc. All rights reserved.