Splunk Search

camera log line breaking

twistedsixty4
Path Finder

hey all,
so I'm trying to add our camera system logs to splunk but because of the formatting of the status logs it breaks it at the wrong spot. I've tried to specify custom line breakingg rules in the props file but I must be doing something wrong.

here is a sample log:

Device Status:
 ctime=1392061339.198785
 lcode=1 (NORMAL)
 mcode=1 (NORMAL)
 afpks=009830
 afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288
iscount=64

Latest Data:
isnm=194206
ssnm=4134514
size=165465
Device Status:
ctime=1392061339.198785
lcode=1 (NORMAL)
mcode=1 (NORMAL)
afpks=009830
afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288
iscount=64

Latest Data:
isnm=194206
ssnm=4134514
size=165465
Device Status:
ctime=1392061339.198785
lcode=1 (NORMAL)
mcode=1 (NORMAL)
afpks=009830
afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288

splunk keeps trying to break on the "ctime=\d+.\d+" string but a full log runs from the "Device\sStatus:" line to just before the next "Device\sStatus:". so when it breaks on ctime i get twice as many logs with half of the information in each.

under the file match condition heading this is the line i added:

[source::.../status-data/*/*.status]

LINE_BREAKER = (Device\sStatus:)
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = false

thanks for the help guys!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try with this props.conf setting.

[source::.../status-data/*/*.status]
BREAK_ONLY_BEFORE = Device Status
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = ctime=

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try with this props.conf setting.

[source::.../status-data/*/*.status]
BREAK_ONLY_BEFORE = Device Status
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = ctime=
0 Karma

twistedsixty4
Path Finder

this worked perfectly! also i realized that a part of my problem was that i was updating the props file on the forwarder, not the server, oops! thanks for your help!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...