Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

linebreaking for text configuration file format

JeffTanYH
Engager
‎05-01-2012 08:52 PM

I am trying to linebreak my text format configuration file into the different events by the controlID. I need help in the linebreaking of my data.

My text configuration looks something like this:

******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Process Tracking:                                     Blah 


******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Account Logon Events:                                 Blah 


******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Account Management/User and Group Mgmt:               Blah 


******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Logon Events/Logon and Logoff :                       Blah

The grey lines you see are actually ******** in my text file.

I am rather new to SPLUNK and i urgently need your help in linebreaking my data. I have tried several methods but it doesn't seem to be working for my data.

When i input this file into SPLUNK, it automically breaks my data into events. However, it does not break the events into what i want,it simply selects random lines to break the data,it gives no meanings to the different events.

Please help me! Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MarioM
Motivator
‎05-01-2012 11:52 PM

Did you try the following for your sourcetype on your props.conf:

    [my_sourcetype]
    BREAK_ONLY_BEFORE=(.*\bControlID:.*)
    SHOULD_LINEMERGE=true

View solution in original post

Reply
Solved! Jump to solution

JeffTanYH
Engager
‎05-02-2012 12:19 AM

And one more thing.. Could you help me figure out how do i linebreak this as well?

It is feasible to break [1] from [2] and make them seperate events? While maintaining the linebreak of each ControlID event? And how?

******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************


    ________________________________________________________________________
    Object: C:\WINDOWS
    Owner:  BUILTIN\Administrators
    Group:  BUILTIN\Administrators

    ACL (DACL): 
    =========== 
    [1]:
    BUILTIN\Users
    ACE Header Type : 0x0
    ACE Header Flags: 0x0
    ACE Access Mask : 0x999999
    Apply to : [This folder] 
    Allow
        Read Permissions
        Read Extended Attributes
        Read Attributes
        List Folder/Read Data
        Traverse Folder/Execute File
    [2]:
    BUILTIN\Users
    ACE Header Type : 0x0
    ACE Header Flags: 0xb
    ACE Access Mask : 0xn0000000
    Apply to : [Subfolders] [Files] 
    Allow
        Read
        Execute

It would be much appreciated if you could help me!

0 Karma
Reply
Solved! Jump to solution

JeffTanYH
Engager
‎05-02-2012 12:54 AM

Alright. Thanks alot MarioM. I'll create a new question and hopefully someone has a solution.

0 Karma
Reply
Solved! Jump to solution

MarioM
Motivator
‎05-02-2012 12:50 AM

I am afraid on this one i don't think it will be possible to maintain the linebreak of each ControlID event.
Maybe someone else will have an idea...
You should create a new question

0 Karma
Reply
Solved! Jump to solution

MarioM
Motivator
‎05-02-2012 12:12 AM

Even better than BREAK_ONLY_BEFORE ( SHOULD_LINEMERGE=true use more resources):

[my_sourcetype]
LINE_BREAKER=([\r\n\-]+)\s+Reading.*
SHOULD_LINEMERGE=false
Reply
Solved! Jump to solution

JeffTanYH
Engager
‎05-02-2012 12:30 AM

Hey. Thanks for your answers,greatly appreciated. The first one works better as it correctly breaks the event into the ControlID i need. The second one,however,breaks the "Auditing Enabled: Blah Audit Process Tracking: Blah " section with the ControlID below it,which is not what i want.

0 Karma
Reply
Solved! Jump to solution
Solution

MarioM
Motivator
‎05-01-2012 11:52 PM

Did you try the following for your sourcetype on your props.conf:

    [my_sourcetype]
    BREAK_ONLY_BEFORE=(.*\bControlID:.*)
    SHOULD_LINEMERGE=true
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...