Splunk Search

can't figure out line breaks on a particular file I have

gregcain
Explorer

Hi There,

I have a log file that looks like this (where it says "blank line" is a blank line, not the words "blank line.")

blank line
Thu Aug 11 06:05PM paging-script.sh args: An Incident 
11111111 Initial. [Priority 2-High]. Cust:Last, First A (555) 111-2222 DC 5B: Problem Description: 555-555-5555 u
calling page-member.sh auxiliary-ta email@domain.com Incident 11111111 Initial. [Priority 2-High]. Cust:Last, First A (555) 555-5555 DC 5B: Problem Description: 555-555-5555
Thu Aug 11 06:05PM paging-script.sh is complete.
blank line

Every instance of this file share this format. A blank line, followed by the date on the opening line, a line of text, and the closing line, which also starts with the date. Each entry has a blank line before it, and a blank line after it.

Using regex of %a %b %d %R%p I can parse the timestamp, but that means that the first and third lines end up being different records. If I leave event breaks set to Auto, it puts the time stamp on different lines. If I use the regex, it does the same things.

How would I set the source type to use the date format to open and close this code?

Tags (1)

s2_splunk
Splunk Employee
Splunk Employee

If your desired outcome is that you get exactly one event indexed that contains both timestamps, try this:

[yourSourcetype]
BREAK_ONLY_BEFORE = ^\r\n\w{3}\s\w{3}
KV_MODE = auto
NO_BINARY_CHECK = true
TIME_FORMAT = %a %b %d %R%p

In my test instance, this results in this output:
alt text

0 Karma

gregcain
Explorer

Hi There,

Thanks for the suggestions. However, it doesn't appear to work. It may be because you've only got one stanza from my file, whereas I have hundreds.

I copied and pasted your sourcetype, restarted splunk, and chose that sourcetype. The only differences between what you suggested, and what I find under advanced are:

CHARSET UTF-8
SHOULD_LINEMERGE true
disabled false

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

OK, so if you have multiple of these blank-line1-line2-blank groups and you want your events to be line1+line2=1 event, change BREAK_ONLY_BEFORE = \w{3}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}[AP]M\s\w+-\w+\.sh\sargs
This is assuming that your line1 always starts with a date, a .sh script name followed by a space and the string 'args'. If that is not the case, just modify the RegEx to reliably identify your line1.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

can you try something like this:

TIME_PREFIX = ^[\r\n]

if the blank line has some space char try this:

TIME_PREFIX = ^\s*[\r\n]
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

gregcain
Explorer

Hi There,

Thanks for the suggestion. Regretfully this didn't get any closer to a solution.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...