Solved: Why is my line breaking configuration for BREAK_ON...

ebailey · ‎05-26-2015

I have the following two messages that are merging into one event in Splunk and I need to teach Splunk to break the event at the right spot

00286       #137   7:08:04.52 142 XXX00003: CONNECT  ***  TIME OUT  ***   7:08:02.36  XXXPRD1    BRS3 010.226.194.025  8080    XXXXX-IDPRODV1       #137   7:08:05.02 142 XXX00008: CONNECT  ***  TIME OUT  ***   7:08:02.74  XXXPRD1    BRS3 010.226.194.025  8080    XXXXX-IDPRODV1

I need the line to break before #137 but my props for this condition is not working

BREAK_ONLY_BEFORE=#137

Do I need a regex or this just the wrong way to address the issue?

Thanks!

edrivera3 · ‎05-26-2015

I am not sure what the problem is, but try this:
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}\s\d{3}

View solution in original post

woodcock · ‎05-26-2015

What are the timestamping and linebreaking settings for this source/type in props.conf (it makes a difference on how to answer)?

ebailey · ‎06-01-2015

I am using the following props

NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
category = Custom
disabled = false
pulldown_type = true
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}s\d{3}

The timestamp of the first event is detected by default so I don't have anything specific for the timestamp in props.

edrivera3 · ‎05-26-2015

I am not sure what the problem is, but try this:
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}\s\d{3}

ebailey · ‎05-29-2015

that did it - i needed a regex and a string match would not work - Thanks!

edrivera3 · ‎05-29-2015

Nice. Good luck with your project.

Why is my line breaking configuration for BREAK_ONLY_BEFORE in props.conf not working?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes