Hi There,
I have a log file that looks like this (where it says "blank line" is a blank line, not the words "blank line.")
blank line
Thu Aug 11 06:05PM paging-script.sh args: An Incident
11111111 Initial. [Priority 2-High]. Cust:Last, First A (555) 111-2222 DC 5B: Problem Description: 555-555-5555 u
calling page-member.sh auxiliary-ta email@domain.com Incident 11111111 Initial. [Priority 2-High]. Cust:Last, First A (555) 555-5555 DC 5B: Problem Description: 555-555-5555
Thu Aug 11 06:05PM paging-script.sh is complete.
blank line
Every instance of this file share this format. A blank line, followed by the date on the opening line, a line of text, and the closing line, which also starts with the date. Each entry has a blank line before it, and a blank line after it.
Using regex of %a %b %d %R%p I can parse the timestamp, but that means that the first and third lines end up being different records. If I leave event breaks set to Auto, it puts the time stamp on different lines. If I use the regex, it does the same things.
How would I set the source type to use the date format to open and close this code?
Hi There,
Thanks for the suggestions. However, it doesn't appear to work. It may be because you've only got one stanza from my file, whereas I have hundreds.
I copied and pasted your sourcetype, restarted splunk, and chose that sourcetype. The only differences between what you suggested, and what I find under advanced are:
CHARSET UTF-8
SHOULD_LINEMERGE true
disabled false
OK, so if you have multiple of these blank-line1-line2-blank groups and you want your events to be line1+line2=1 event, change BREAK_ONLY_BEFORE = \w{3}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}[AP]M\s\w+-\w+\.sh\sargs
This is assuming that your line1 always starts with a date, a .sh script name followed by a space and the string 'args'. If that is not the case, just modify the RegEx to reliably identify your line1.
can you try something like this:
TIME_PREFIX = ^[\r\n]
if the blank line has some space char try this:
TIME_PREFIX = ^\s*[\r\n]
Hi There,
Thanks for the suggestion. Regretfully this didn't get any closer to a solution.