Getting Data In

props.conf doesn't work properly

ggssa2000
Explorer

Hi, Splunkers,

I have following data from UF to Splunk instance.

<< UDP-1128 Nocrypto.......
    REGISTER.....
    ......................
    ......................
    ......................
    ......................
    ......................
    ......................
    Content-Length: 0

it is from a same file's content, however, it is broken by the splunk each line like this :

<< UDP-1128 Nocrypto.......
REGISTER.....
...........................
Content-Length: 0

it makes me difficult to search the data.

I have already tried these config in the serveral location:
1. UF's $SPLUNK/etc/apps/[deployment_app_name]/local/props.conf
2. the apps located in the Splunk instance at $SPLUNK_HOME/etc/apps/[App_Name]/local/props.conf
3. the props.conf at $SPLUNK_HOME/etc/system/local/props.conf

Here is the props.conf content:

[host::<host>]
LINE_BREAKER = ([\r\n]+)
SHOULD_MERGE = true
BREAK_ONLY_BEFORE = \s+<<\sUDP-\d+\sNoCrypto
MUST_BREAK_AFTER = Content-Length


BREAK_ONLY_BEFORE = <regular expression>
* When set, Splunk creates a new event only if it encounters a new line that
  matches the regular expression.
* Defaults to empty.

MUST_BREAK_AFTER = <regular expression>
* When set and the regular expression matches the current line, Splunk
  creates a new event for the next input line.
* Splunk may still break before the current line if another rule matches.
* Defaults to empty.

The instrctions from "Configure ebent line breaking" doc
http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Configureeventlinebreaking
and the "props.conf" doc 
http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf

But it doesn't work for the props.conf to merge the data into a multi line event.
Does anyone has suggestions? Thanks for replying 🙂

0 Karma

woodcock
Esteemed Legend

Try this:

[host::<host>]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ^\s*<<\s*UDP-\d+\s+

Save this to your indexers, restart all Splunk instances on your indexers and test by ONLY checking events that were indexed AFTER the restarts. Do note my implementation of comment by @dineshraj9!

ggssa2000
Explorer

I will try it later, and I will let you know the result. thanks!

0 Karma

dineshraj9
Builder

It should be SHOULD_LINEMERGE and not SHOULD_MERGE

SHOULD_LINEMERGE = [true|false]
* When set to true, Splunk combines several lines of data into a single
  multi-line event, based on the following configuration attributes.
* Defaults to true.

# When SHOULD_LINEMERGE is set to true, use the following attributes to
# define how Splunk builds multi-line events.

ggssa2000
Explorer

I did right in the props.conf, it doesn't work still 😞

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...