How to edit props.conf for proper line breaking of...

mbksplunk · ‎10-19-2016

Events are not breaking up correctly for this particular log file that does not have YYYY-MM-DD in the timestamp. Here is the log from one of the apsp that was not so greatly written. I say this because the log does not have YYYY-MM-DD as part of the timestamp.

Log file:

16:35:34,985 INFO  604682869 [  FailureHandlerBean] Scena startTime=Wed Oct 19 16:35:25 EST 2016]
16:35:34,988 INFO  604682869 [         LockHandler] Invalidated lock Tool.
16:35:34,998 INFO  604682869 [      PFMInterceptor] Executed in Engine 9313ms
16:35:35,002 INFO  604681893 [     JmsQueueMonitor] Current message count in EventQueue: 34

props.conf

[server_log]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\d{2}:\d{2}:\d{2},\d{3}
pulldown_type = 1

Any idea? Thanks in advance.

ibob0304 · ‎10-25-2016

Try this

[server_log]
NO_BINARY_CHECK = 1
pulldown_type = 1
BREAK_ONLY_BEFORE = \d{2}\:\d{2}\:\d{2}\,\d{3}
SHOULD_LINEMERGE = true

lguinn2 · ‎10-19-2016

If each line of the file is a separate event, you do not need the LINE_BREAKER at all. For log files containing single-line events, SHOULD_LINEMERGE = false is all you need.

How to edit props.conf for proper line breaking of a log file that does not have YYYY-MM-DD in the timestamp?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases