What I am trying to achive is to ignore any carriage returns , new lines ,special symbols and Break the log into lines/ events when It sees regex "-----#-----" . I tried the g on following entries in my props.conf on full forwarder ..I am running splunk 4.2.2 on redhat .
Props.conf entries that I tried are :
[work_request]
TZ = US/Eastern
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_EVENTS=1
SHOULD_LINEMERGE = false
LINE_BREAKER = (?m)([-]{5,}#[-]{5,})
LINE_BREAKER = (\-----#-----*)
LINE_BREAKER_LOOKBEHIND = 1000
#BREAK_ONLY_AFTER = -----#-----*
#BREAK_ONLY_AFTER = ([\r]*[-----#-----]{1}[\r]*)
#BREAK_ONLY_AFTER = ([\r\n]+[-----#-----]{1}[\r\n]+)**
sample log :
1 Not Yet Requested ROCC Phone [code]Dear Ops,
xxxx would like to set registry lock on about 550 domains, they are asking how long it will take to proceed this. the customer had asked this twice now, could you please investigate?
Thank you. [/code] Normal 0 1 WREQ0002372 yyyyyy 0 Bulk update for 550 domain name Open Work Request sfdc 2011-10-14 05:10:14 global 00d676a30a0a3c4e01fcd527a37bbca9 4 kaddada 2011-10-14 14:27:01 ROCC 2011-10-14 14:27:01 2011-10-14 05:10:16 CORE SRS Verification T-00002893: Bulk update for 550 domain name Request for Information Low 1 2011-10-14 14:27:00 Proceed to Next Task Cancel all future Tasks -----#-----
1 Not Yet Requested ROCC Phone [code]
Dear OPS,
Please find the attached file which has list of domanis, which need to be put on Registry Lock.| Below are Registrar Details Registrar Name:| xxxxxxxx INTERNET NAMES WORLDWIDE GURID: 22 NCC ID: 33 Please note : Registrar is requesting this to be done ASAP. Regards
asvvvvr [/code] Normal 0 1 WREQ0002373 Nitin Asher 0 Registry Lock Open Work Request sfdc 2011-10-14 06:17:33 global 0114162f0a0a3c4e01124621ff497c0c 4 kaddada 2011-10-14 14:26:35 ROCC 2011-10-14 14:26:35 2011-10-14 06:17:35 CORE SRS Verification T-00002894: Registry Lock Request for Information Low 1 2011-10-14 14:26:34 Proceed to Next Task Cancel all future Tasks -----#-----
1 Not Yet Requested SYMC Colo User CORP.MTV1 Phone Details: Hi^M
We are changing the IP address for authconnect-mtv.verisign.net to 216.168.241.251. The details as follows^M ^M
... View more