Solved: LINE_BREAKER not working correctly

pkeller · ‎01-25-2017

The event I want to break on looks like this:

25/Jan/17:10:23:00:069+0000 DEBUG Evaluation of condition [188:FTP Mastering Users] took 0 ms

props.conf looks like this:
LINE_BREAKER = ([\r\n]+)(\d+/\w{3}/\d+:\d{2}:\d{2}:\d{2}:\d{3})
I've also tried this:
LINE_BREAKER = ([\r\n]+)(\d+\/\w{3}\/\d+:\d{2}:\d{2}:\d{2}:\d{3})
TIME_FORMAT = %-m/%b/%y:%H:%M:%S:%3N%z
TRUNCATE = 0

I'm still finding that my indexers are now combining every event matching the REGEX into a single event ( until the max events boundary is reached )

I figure I'm getting hung up on the "forward slash" in the date vs what I have in the REGEX, but have not been able to ingest this particular datasource accurately. So do I need to go a step further with regards to

somesoni2 · ‎01-25-2017

Give this a try

[yourSourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d+\/\w+\/\d+:\d+:\d+:\d+)
TIME_FORMAT = %d/%b/%y:%H:%M:%S:%N%z
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 27

View solution in original post

woodcock · ‎01-25-2017

Try this:

([\r\n]+)(\d+\/\w{3}\/\d+:\d{2}:\d{2}:\d{2}:\d{3})

You can test your RegEx with http://www.regex101.com. This showed that you were not escaping your / characters.

somesoni2 · ‎01-25-2017

Give this a try

[yourSourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d+\/\w+\/\d+:\d+:\d+:\d+)
TIME_FORMAT = %d/%b/%y:%H:%M:%S:%N%z
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 27

LINE_BREAKER not working correctly

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms