Getting Data In

Is there a way to break in Splunk for the following data ??

rakesh_498115
Motivator

Hi .

I Have my data something like this...

SRFR10279A1 R10A1 R0033201 cdain         LOW             SDEDS1            C1600002          0          0          0 20140316 00002000 20140316 00000600 20140316 0
0000600 000000 NPROTTCP  cdteipal01                      00 04096 U15 ./TPULL/                         /host/dsds/XXXXX/EIPAL


SRFR10279A1 R102A1 R0033201 cdmin         LOW             SDEDS1            C1600001          0          0          0 20140316 00001000 20140316 00000600 20140316 0
0000600 000000 NPROTTCP  cdteipal01                      00 04096 U15 ./TPUSAGE/EIPAL_USERDETAIL_PULL_20140316000002                   /deds-host/ds/XXXXX/EIPAL


USION   SION   R0201 xfr_deds        LOW             SDEDS             C1600001          0          0          0 20140316 00001000 20140316 00000600 20140316 0
0000600 000000 SSION  cdtronm01                       00 04096 U15 /host/wcadata/OUTGOING/XXX/./IPVS/

These are sample events .. all the event data is having two blank lines in b/w them....

Have tried something like this in my props.

[props]

BREAK_ONLY_BEFORE=[\r\n\]+\s
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
0 Karma

kristian_kolb
Ultra Champion

Firstly, your configs don't add up. BREAK_ONLY_BEFORE only has meaning when SHOULD_LINEMERGE is set to "true". Many times these kinds of problem arise in improper timestamp recognition.

Assuming that this is a single-line event, and that the "201403016 00002000" (in the first event) is the timestamp, meaning 2014-03-16 00:00:20,00, something like this could work;

props.conf

[your_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 250
TIME_PREFIX = ^\s*(\S+\s+){10}
TIME_FORMAT = %Y%m%d %H%M%S%2N

EDIT: fixed a typo in TIME_FORMAT
/k

0 Karma

rakesh_498115
Motivator

its is multiline..i have 2 lines of data cotinously with 2 empty lines space b/w them..

0 Karma

kristian_kolb
Ultra Champion

err, I made a typo (in TIME_FORMAT), but perhaps you spotted that and took the appropriate action.

Fixed it now.

Could you tell us more about your event format? single line, multi line?

0 Karma

rakesh_498115
Motivator

Hi Kristian... thanks for ur update.. this even didnt work on my data 😞

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are these data spread over multiple lines or whole event appears in one line?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...