My log goes like this. I want all contents between "BeginEvent" and "EndEvent" as a single event. Any help?
Will greatly appreciate it
--------BeginEvent--------
04/09/2012 09:28:34 EventStartTime=Mon Apr 09 09:28:34 PDT 2012
04/09/2012 09:28:34 EventClass=TEST
04/09/2012 09:28:34 StatusCode=23
04/09/2012 09:28:34 ServerClassName=KSED
04/09/2012 09:28:34 EventData=Testing
---------EndEvent---------
--------BeginEvent--------
04/09/2012 11:38:10 EventStartTime=Mon Apr 09 11:38:10 PDT 2012>
04/09/2012 11:38:10 SessID=52352525252>
...
...
.....
If your log files actually contains the '--------BeginEvent-------' string, you could have the following props.conf setting;
[your_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+-+BeginEvent-+)
This should remove the 'BeginEvent' line altogether and break for the next event.
UPDATE:
No, it's far more efficient to use LINE_BREAKER
than MUST_BREAK_BEFORE
, MUST_NOT_BREAK_AFTER
etc. This requires that SHOULD_LINEMERGE
is set to false.
The incoming stream is then broken into events wherever the LINE_BREAKER
regex matches.
I guess that you could craft a regex that could remove the 'EndEvent' line as well, though I have not tried it. It could possibly look like (though this is a bit beyond my regex skills)
LINE_BREAKER = (?m)(([\r\n]+-+EndEvent-+)?[\r\n]+-+BeginEvent-+)
Hope this helps,
Kristian
If your log files actually contains the '--------BeginEvent-------' string, you could have the following props.conf setting;
[your_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+-+BeginEvent-+)
This should remove the 'BeginEvent' line altogether and break for the next event.
UPDATE:
No, it's far more efficient to use LINE_BREAKER
than MUST_BREAK_BEFORE
, MUST_NOT_BREAK_AFTER
etc. This requires that SHOULD_LINEMERGE
is set to false.
The incoming stream is then broken into events wherever the LINE_BREAKER
regex matches.
I guess that you could craft a regex that could remove the 'EndEvent' line as well, though I have not tried it. It could possibly look like (though this is a bit beyond my regex skills)
LINE_BREAKER = (?m)(([\r\n]+-+EndEvent-+)?[\r\n]+-+BeginEvent-+)
Hope this helps,
Kristian
haha, tell my wife!
/k
you are just awesome
Thank you Kristian,
"04/09/2012 09:28:34 EventStartTime=Mon Apr 09 09:28:34 PDT 2012" , "04/09/2012 09:28:34 EventClass=TEST" etc....are actually in different lines (/n/r is present). Should i not set SHOULD_LINEMERGE to true?