Solved: Writing props.conf for logfile having below log st...

ajaylowes · ‎07-12-2017

*****************************************************************************
***************           SYSTEM    ERROR:   000000           ***************
DATE: 07/05/2017 ********************************************* TIME: 12:00 AM

i am starting to learn splunk , its good and very interesting > i love splunk ./
REFERENCE CODE: ABC_XYZ_FILECOPY-82728

i need to create props.conf to break the logfile containing logs shown above into events.
Please help me write one props.conf which remove all stars since they are not useful

Thanks

lguinn2 · ‎07-12-2017

If this is the whole log, then it looks like you want one event per file. Try this in props.conf

[yoursourcetypehere]
BREAK_ONLY_BEFORE=^**************************************************$
TIME_PREFIX = DATE\:
MAX_TIMESTAMP_LOOKAHEAD = 200
TIME_FORMAT = %m/%d/%Y ********************************************* TIME: %H:%M %p

You may have to tweak this a bit to get it right for your log file.

View solution in original post

woodcock · ‎07-13-2017

Use these settings in props.conf:

[yourSourcetypeHere]
LINE_BREAKER = ([\r\n]+)\*{70}
TIME_PREFIX = DATE\:
MAX_TIMESTAMP_LOOKAHEAD = 80
TIME_FORMAT = %m/%d/%Y ********************************************* TIME: %H:%M %p

ajaylowes · ‎07-13-2017

does this remove the star from the event and then digest it into splunk?

woodcock · ‎07-12-2017

Show us the first 2 events and the last 2 events.

ajaylowes · ‎07-13-2017

*****************************************************************************
***************           SYSTEM    ERROR:   510762           ***************
DATE: 07/06/2017 ********************************************* TIME: 12:00 AM

<1 line text>


<2 line text>

REFERENCE CODE: DMS_RMT_FILECOPY-82727


*****************************************************************************
***************           SYSTEM    ERROR:   510763           ***************
DATE: 07/06/2017 ********************************************* TIME: 12:00 AM

<1 line text>


<2 line text>

REFERENCE CODE: DMS_RMT_FILECOPY-82728


*****************************************************************************
***************           SYSTEM    ERROR:   510764           ***************
DATE: 07/06/2017 ********************************************* TIME: 12:00 AM

<1 line text>


<2 line text>

REFERENCE CODE: DMS_RMT_FILECOPY-82727

lguinn2 · ‎07-12-2017

If this is the whole log, then it looks like you want one event per file. Try this in props.conf

[yoursourcetypehere]
BREAK_ONLY_BEFORE=^**************************************************$
TIME_PREFIX = DATE\:
MAX_TIMESTAMP_LOOKAHEAD = 200
TIME_FORMAT = %m/%d/%Y ********************************************* TIME: %H:%M %p

You may have to tweak this a bit to get it right for your log file.

ajaylowes · ‎07-12-2017

There are several similar logs in one file. Also , i need to remove stars from the log since they are unwanted.

sbbadri · ‎07-13-2017

in props.conf

[my_source_type]
SEDCMD-remove_asteriks1 = s/(\W+\s+)SYSTEM/SYSTEM/g
SEDCMD-remove_asteriks2 = s/(\s+\W+)DATE:/ DATE:/g
SEDCMD-remove_asteriks3 = s/(\s+\W+)TIME:/ TIME:/g

ajaylowes · ‎07-13-2017

hi ,

can you please explain how that works....

Writing props.conf for logfile having below log style

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!