Getting Data In

Why is my line breaking configuration for BREAK_ONLY_BEFORE in props.conf not working?

ebailey
Communicator

I have the following two messages that are merging into one event in Splunk and I need to teach Splunk to break the event at the right spot

00286       #137   7:08:04.52 142 XXX00003: CONNECT  ***  TIME OUT  ***   7:08:02.36  XXXPRD1    BRS3 010.226.194.025  8080    XXXXX-IDPRODV1       #137   7:08:05.02 142 XXX00008: CONNECT  ***  TIME OUT  ***   7:08:02.74  XXXPRD1    BRS3 010.226.194.025  8080    XXXXX-IDPRODV1

I need the line to break before #137 but my props for this condition is not working

BREAK_ONLY_BEFORE=#137

Do I need a regex or this just the wrong way to address the issue?

Thanks!

1 Solution

edrivera3
Builder

I am not sure what the problem is, but try this:
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}\s\d{3}

View solution in original post

woodcock
Esteemed Legend

What are the timestamping and linebreaking settings for this source/type in props.conf (it makes a difference on how to answer)?

0 Karma

ebailey
Communicator

I am using the following props

NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
category = Custom
disabled = false
pulldown_type = true
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}s\d{3}

The timestamp of the first event is detected by default so I don't have anything specific for the timestamp in props.

0 Karma

edrivera3
Builder

I am not sure what the problem is, but try this:
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}\s\d{3}

ebailey
Communicator

that did it - i needed a regex and a string match would not work - Thanks!

0 Karma

edrivera3
Builder

Nice. Good luck with your project.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...