Getting Data In

Is it possible to tell LINE_BREAKER to stop eating my angle bracket?

hulahoop
Splunk Employee
Splunk Employee

The use of LINE_BREAKER is a bit cryptic to me... ok, a lot. But I think I've managed to figure out how to break my XML elements into events... sorta.

Here's a data sample:

<Exception><Description>some ugly exception</Description><StackTrace>woah</StackTrace></Exception><Exception><Description>another ugly exception</Description><StackTrace>lots of stuff</StackTrace></Exception>

With this config in props.conf:

[foo]
SHOULD_LINEMERGE = false
LINE_BREAKER = ()<Exception>

Since the <Exception> elements do not appear on a new line, it seems LINE_BREAKER is my only option in props.conf to specify where to make a new event. The trouble is LINE_BREAKER requires at least 1 matching group, and the contents of the matching group do not appear in the event. The rule above effectively eats the opening bracket, such that events appear like this in Splunk:

Exception><Description>some ugly exception</Description><StackTrace>woah</StackTrace></Exception>
Exception><Description>another ugly exception</Description><StackTrace>lots of stuff</StackTrace></Exception>

How disgusting. Is there some regex magic to put the < back in Exception>?

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Try a regex lookahead:

LINEBREAKER = ((?=\<Exception\>))

Update: per comments, the above doesn't work, but this does:

LINEBREAKER = [\>\s]((?=\<Exception\>))

View solution in original post

115547873038911
New Member

Try starting the regex with ([\n\r]). From the spec "* The contents of the first matching group is ignored as event text."

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Unfortunately the events don't have newlines or CR between them, so we can't use them to find the breaks. What we're doing is a regex lookahead, which is supposed to basically match the following characters without actually including them as part of the match.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Try a regex lookahead:

LINEBREAKER = ((?=\<Exception\>))

Update: per comments, the above doesn't work, but this does:

LINEBREAKER = [\>\s]((?=\<Exception\>))

hulahoop
Splunk Employee
Splunk Employee

hallelujah! the last suggestion works like a charm! Thank you, G!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Seems like a bug to me. Might try >\s as a last resort.

0 Karma

hulahoop
Splunk Employee
Splunk Employee

Still ate the opening angle bracket. 😞

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...