Why am I getting "Regex: missing terminating ] for...

a212830 · ‎08-11-2015

Hi,

I am testing a feed, and it appears to be working properly, but I'm getting a "Regex: missing terminating ] for character class" message in the data preview.

Data sample:

07/04 20:49:51:867 [ INFO]  ConnectorStatsAppender[106] -  Connector stats printed in 78 Millis.
07/04 21:09:51:894 [ INFO]  ConnectorStatsAppender[43] - Connector stats.. 

07/04/2015 21:09:51,  Active Users_cache,           11             
07/04/2015 21:09:51,  Total Users_cache,            9942           
07/04/2015 21:09:51,  Active Conversations_cache,   3                     
07/04/2015 21:09:51,  Total Conversations_cache,    7481                  
07/04/2015 21:09:51,  Threads Available_cache,      74                    
07/04/2015 21:09:51,  Total ReviewTokens_cache,     0                     
07/04/2015 21:09:51,  Total Grey-NetTokens_cache,   0

I want to break on each line with the first timestamp formats. So the first line would be an event, and then the second would be a multiline event with all the remaining lines until we get to the next line with the first timestamp format.

Here's my props:

ANNOTATE_PUNCT = false
KV_MODE = auto
LINE_BREAKER=  ([\r\n]+)\d{2}/\d{2}\s\d{2}:\d{2}:\d{2}:\d{3}\s[
MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %m/%d %H:%M:%S:%3N
TIME_PREFIX = ^
TRUNCATE = 999999

So far, it looks ok, but I'm getting that error message.

richgalloway · ‎08-11-2015

The LINE_BREAKER line ends with an unmatched and un-escaped left bracket. Changing it to LINE_BREAKER= ([\r\n]+)\d{2}/\d{2}\s\d{2}:\d{2}:\d{2}:\d{3}\s\[ should fix the problem.

---
If this reply helps you, Karma would be appreciated.

Why am I getting "Regex: missing terminating ] for character class" with my line breaking configuration?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!