Need some help breaking an event out into multiple events.
For example the following event:
7368:20130826:133019.286 status
7368:20130826:133019.389 status
7368:20130826:133019.414 status
7368:20130826:133019.433 status
The format is pid:date/timestamp space status
I have tried adding the following things to the indexer:
props.conf:
[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\d+:%Y%m%d:%H%M%S.%3N\s)([\r\n])
and
MUST_BREAK_AFTER = (\d+:%Y%m%d:%H%M%S.%3N\s)|([\r\n])
Neither of the above seems to have any effect either good or bad on the data even after restarting the service.
What I want is everytime splunk encounters the above format of pid:date/timestamp it creates a new event.
Splunk does seem to be matching the date/timestamps up correctly it just seems to lump all the events under the one event.
Since I'm new to both splunk and regex expressions I'm not sure the best way to go about this.
Assuming that all events in the log file follow this format you should configure like so;
props.conf
[your_sourcetype_here]
SHOULD_LINEMERGE = false
TIME_PREFIX = :
TIME_FORMAT = %Y%m%d:%H%M%S.%3N
SHOULD_LINEMERGE = false
implies that all events are single-line, and you should not need to specify any LINE_BREAKER
.
MUST_NOT_BREAK_AFTER
and similar BREAK_ONLY_BEFORE...
etc are only relevant when SHOULD_LINEMERGE = true
Hope this helps,
K
Assuming that all events in the log file follow this format you should configure like so;
props.conf
[your_sourcetype_here]
SHOULD_LINEMERGE = false
TIME_PREFIX = :
TIME_FORMAT = %Y%m%d:%H%M%S.%3N
SHOULD_LINEMERGE = false
implies that all events are single-line, and you should not need to specify any LINE_BREAKER
.
MUST_NOT_BREAK_AFTER
and similar BREAK_ONLY_BEFORE...
etc are only relevant when SHOULD_LINEMERGE = true
Hope this helps,
K
This worked perfectly, thanks Kristian.
Can this still be used if not all entries in the log file follow that format?
There are some entries that do not have a clear date/time stamp. I am not as concerned that those get separated out properly as I am that every time splunk hits the above date/time stamp it creates a new event.