Hello!!!
Can you help me to break this two events, they must separated with this expression
We have this two events, so please use them as an example:
SUBPROCESS Process Termination
------------------------------
Username: ZZZZ UIC: [1,4]
Account: WWWWWW Finish time: 29-OCT-2015 00:00:09.15
Process ID: DDDDDDDD Start time: 29-OCT-2015 00:00:09.14
Owner ID: AAAAAAAA Elapsed time: 0 00:00:00.01
Terminal name: Processor time: 0 00:00:00.02
Remote node addr: Priority: 4
Remote node name: Privilege <31-00>: FFFFFFFF
Remote ID: Privilege <63-32>: FFFFFFFF
Remote full name:
Posix UID: -2 Posix GID: -2 (%XFFFFFFFE)
Queue entry: Final status code: 00000001
Queue name:
Job name:
Final status text: %SYSTEM-S-NORMAL, normal successful completion
Page faults: 81 Direct IO: 5
Page fault reads: 21 Buffered IO: 120
Peak working set: 1616 Volumes mounted: 0
Peak page file: 171680 Images executed: 3
NETWORK Process Termination
---------------------------
Username: XXXX UIC: [1,4]
Account: XDXDXD Finish time: 29-OCT-2015 00:00:09.16
Process ID: YYYYYYYY Start time: 29-OCT-2015 00:00:05.82
Owner ID: Elapsed time: 0 00:00:03.34
Terminal name: Processor time: 0 00:00:00.16
Remote node addr: Priority: 4
Remote node name: Privilege <31-00>: FFFFFFFF
Remote ID: NRPE Privilege <63-32>: FFFFFFFF
Remote full name: 161.131.194.38
Posix UID: -2 Posix GID: -2 (%XFFFFFFFE)
Queue entry: Final status code: 00000001
Queue name:
Job name:
Final status text: %SYSTEM-S-NORMAL, normal successful completion
Page faults: 408 Direct IO: 119
Page fault reads: 108 Buffered IO: 793
Peak working set: 6912 Volumes mounted: 0
Peak page file: 176720 Images executed: 7
Thanks for your help!!!
Thanks for your answer, but I can't use the complete phrase as line breaker because the words are changing during the different events. I already work in the props file with this command: BREAK_ONLY_BEFORE and a regular expression, and didn't work...
I can't split it in the search statement because I'm trying to define the sourcetype...
Do you have another idea?
Thanks again!!!
If you split the time index・・・
props.conf
[your_events]
BREAK_ONLY_BEFORE = NETWORK Process Termination
If you split the search statement・・・
(your search)|eval wk_raw=replace(_raw,"NETWORK Process Termination","[break]NETWORK Process Termination") |makemv delim="[break]" wk_raw | mvexpand wk_raw|eval _raw=wk_raw