How to write the regex to break before my multilin...

agnonchik · ‎11-10-2014

I have two types of events. The first type is one-line:

Aug 17 2014 00:03:17 IBRA-S-CX600-2 HWCM/4/CFGCHANGE:OID 1.3.6.1.4.1.2011.6.10.2.1 Configure changed. (EventIndex=5382, CommandSource=1, ConfigSource=2, ConfigDestination=4)

while the second type is multiline:

################################################################
#Automatic record log end,current health information as follows:
Slot                    CPU Usage     Memory Usage (Used/Total)
---------------------------------------------------------------
9       MPU(System Master) 22%           26%  475MB/1812MB
1       LPU                19%           36%  307MB/836MB
2       LPU                12%           49%  169MB/340MB
3       LPU                15%           36%  308MB/836MB
8       LPU                17%           40%  331MB/814MB
10      MPU                 5%           23%  434MB/1812MB
#DateTime Stamp: 2014-08-17 00:06:08.600
################################################################

What is the regex to break before these two lines:

################################################################
#Automatic record log end,current health information as follows:

Thanks!

agnonchik · ‎11-14-2014

Thanks to everyone who answered! I think I wanted too much from Splunk. Finally, I splitted my input log into two separate files, one for each input type, and managed to load them into Splunk one-by-one.

richgalloway · ‎11-10-2014

Assuming the text is fixed, the following should work:

BREAK_ONLY_BEFORE = (#{64}\n#Automatic .*:)

---
If this reply helps you, Karma would be appreciated.

agnonchik · ‎11-10-2014

@richgalloway Still, no result. I don't know how to match both lines.

aljohnson_splun · ‎11-10-2014

Could it have to do with greedy consumption? #{64}\s*#Automatic .+?:

aljohnson_splun · ‎11-10-2014

Could you break before and use a non-consuming match?

(?:Configure changed..(.+?))

agnonchik · ‎11-10-2014

@richgalloway Thanks for your answer.

#Automatic .*:

splits just before the second line. The question is how to prepend the first line to the expression:

################################################################

I've tried

#{64}\n#Automatic .*:

It didn't work. Below is the two lines from my log-file to be parsed in hex-mode:

0000000: 2323 2323 2323 2323 2323 2323 2323 2323  ################
0000010: 2323 2323 2323 2323 2323 2323 2323 2323  ################
0000020: 2323 2323 2323 2323 2323 2323 2323 2323  ################
0000030: 2323 2323 2323 2323 2323 2323 2323 2323  ################
0000040: 0a23 4175 746f 6d61 7469 6320 7265 636f  .#Automatic reco
0000050: 7264 206c 6f67 2065 6e64 2c63 7572 7265  rd log end,curre
0000060: 6e74 2068 6561 6c74 6820 696e 666f 726d  nt health inform
0000070: 6174 696f 6e20 6173 2066 6f6c 6c6f 7773  ation as follows
0000080: 3a0a 536c 6f74 2020 2020 2020 2020 2020  :.Slot

If I use

*#{64}\n#Automatic .*:

it goes too far and grabs the previous event. Somehow the regular expression should match just from #{64}.
I don't understand why on the earth it doesn't? Please help!

richgalloway · ‎11-10-2014

Try #{64}\s*#Automatic .*:. It should allow for different (or no) white space between lines.

---
If this reply helps you, Karma would be appreciated.

How to write the regex to break before my multiline event?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM