Configure multiple LINE_BREAKER strings?

woodcock · ‎12-06-2011

I have line breaks signified by 2 different strings.

This works (keeping BK1 text as part of next event):

LINE_BREAKER = ([\r\n]+)(BK1)

This works (discarding BK2 text as part of breaker):

LINE_BREAKER = ([\r\n]+BK2)

But this does not work:

LINE_BREAKER = (?:([\r\n]+)(BK1))|(?:([\r\n]+BK2))

I assume this doesn't work because the 3 captures are taken as $1, $2 and $3 (and $3 is undefined as far as LINE_BREAKER REGEX goes) instead of as $1, $2v1, $2v2.

Ayn · ‎12-15-2011

I find that dealing with LINE_BREAKER settings tends to get messy when often it's simpler and equally effective to achieve the same thing by configuring proper line merging settings instead. Have you investigated that option?

woodcock · ‎05-02-2018

Using LINE_BREAKER if it is a valid option, is always the most efficient impact on the Indexer, so I always start there.

fairoldi · ‎12-15-2011

You can try:

LINE_BRAKER=([\r\n]+(?=BK1)|[\r\n]+BK2)

However this is subject to lookahead limitations: if I remember correctly this means you can not use +,? and * in BK1 (not sure about {n})

_d_ · ‎12-06-2011

Give this a try:

LINE_BREAKER = ([\r\n]+BK2)|([\r\n]+)(?=BK1)

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

woodcock · ‎06-05-2015

No worky; this completely ate the records starting with BK1 (for the same $1/$2/$3 reason/problem).

Configure multiple LINE_BREAKER strings?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor