- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Seperate One Event into Multiple Events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need some help breaking an event out into multiple events.
For example the following event:
7368:20130826:133019.286 status
7368:20130826:133019.389 status
7368:20130826:133019.414 status
7368:20130826:133019.433 status
The format is pid:date/timestamp space status
I have tried adding the following things to the indexer:
props.conf:
[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\d+:%Y%m%d:%H%M%S.%3N\s)([\r\n])
and
MUST_BREAK_AFTER = (\d+:%Y%m%d:%H%M%S.%3N\s)|([\r\n])
Neither of the above seems to have any effect either good or bad on the data even after restarting the service.
What I want is everytime splunk encounters the above format of pid:date/timestamp it creates a new event.
Splunk does seem to be matching the date/timestamps up correctly it just seems to lump all the events under the one event.
Since I'm new to both splunk and regex expressions I'm not sure the best way to go about this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that all events in the log file follow this format you should configure like so;
props.conf
[your_sourcetype_here]
SHOULD_LINEMERGE = false
TIME_PREFIX = :
TIME_FORMAT = %Y%m%d:%H%M%S.%3N
SHOULD_LINEMERGE = false implies that all events are single-line, and you should not need to specify any LINE_BREAKER.
MUST_NOT_BREAK_AFTER and similar BREAK_ONLY_BEFORE... etc are only relevant when SHOULD_LINEMERGE = true
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that all events in the log file follow this format you should configure like so;
props.conf
[your_sourcetype_here]
SHOULD_LINEMERGE = false
TIME_PREFIX = :
TIME_FORMAT = %Y%m%d:%H%M%S.%3N
SHOULD_LINEMERGE = false implies that all events are single-line, and you should not need to specify any LINE_BREAKER.
MUST_NOT_BREAK_AFTER and similar BREAK_ONLY_BEFORE... etc are only relevant when SHOULD_LINEMERGE = true
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked perfectly, thanks Kristian.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can this still be used if not all entries in the log file follow that format?
There are some entries that do not have a clear date/time stamp. I am not as concerned that those get separated out properly as I am that every time splunk hits the above date/time stamp it creates a new event.
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
