How to write the regex to break before my multilin...

agnonchik · ‎11-10-2014

I have two types of events. The first type is one-line:

Aug 17 2014 00:03:17 IBRA-S-CX600-2 HWCM/4/CFGCHANGE:OID 1.3.6.1.4.1.2011.6.10.2.1 Configure changed. (EventIndex=5382, CommandSource=1, ConfigSource=2, ConfigDestination=4)

while the second type is multiline:

################################################################
#Automatic record log end,current health information as follows:
Slot                    CPU Usage     Memory Usage (Used/Total)
---------------------------------------------------------------
9       MPU(System Master) 22%           26%  475MB/1812MB
1       LPU                19%           36%  307MB/836MB
2       LPU                12%           49%  169MB/340MB
3       LPU                15%           36%  308MB/836MB
8       LPU                17%           40%  331MB/814MB
10      MPU                 5%           23%  434MB/1812MB
#DateTime Stamp: 2014-08-17 00:06:08.600
################################################################

What is the regex to break before these two lines:

################################################################
#Automatic record log end,current health information as follows:

Thanks!

agnonchik · ‎11-14-2014

Thanks to everyone who answered! I think I wanted too much from Splunk. Finally, I splitted my input log into two separate files, one for each input type, and managed to load them into Splunk one-by-one.

richgalloway · ‎11-10-2014

Assuming the text is fixed, the following should work:

BREAK_ONLY_BEFORE = (#{64}\n#Automatic .*:)

---
If this reply helps you, Karma would be appreciated.

agnonchik · ‎11-10-2014

@richgalloway Still, no result. I don't know how to match both lines.

aljohnson_splun · ‎11-10-2014

Could it have to do with greedy consumption? #{64}\s*#Automatic .+?:

aljohnson_splun · ‎11-10-2014

Could you break before and use a non-consuming match?

(?:Configure changed..(.+?))

agnonchik · ‎11-10-2014

@richgalloway Thanks for your answer.

#Automatic .*:

splits just before the second line. The question is how to prepend the first line to the expression:

################################################################

I've tried

#{64}\n#Automatic .*:

It didn't work. Below is the two lines from my log-file to be parsed in hex-mode:

0000000: 2323 2323 2323 2323 2323 2323 2323 2323  ################
0000010: 2323 2323 2323 2323 2323 2323 2323 2323  ################
0000020: 2323 2323 2323 2323 2323 2323 2323 2323  ################
0000030: 2323 2323 2323 2323 2323 2323 2323 2323  ################
0000040: 0a23 4175 746f 6d61 7469 6320 7265 636f  .#Automatic reco
0000050: 7264 206c 6f67 2065 6e64 2c63 7572 7265  rd log end,curre
0000060: 6e74 2068 6561 6c74 6820 696e 666f 726d  nt health inform
0000070: 6174 696f 6e20 6173 2066 6f6c 6c6f 7773  ation as follows
0000080: 3a0a 536c 6f74 2020 2020 2020 2020 2020  :.Slot

If I use

*#{64}\n#Automatic .*:

it goes too far and grabs the previous event. Somehow the regular expression should match just from #{64}.
I don't understand why on the earth it doesn't? Please help!

richgalloway · ‎11-10-2014

Try #{64}\s*#Automatic .*:. It should allow for different (or no) white space between lines.

---
If this reply helps you, Karma would be appreciated.

How to write the regex to break before my multiline event?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor