Solved: Line breaks and regex help

j666gak · ‎08-15-2012

Hello,

I am having issues when Splunk is reading an XML file. I need Splunk to know that a transaction starts with and finishes with , instead of line breaks all over the place.

I'm not sure what the regex I need for this is? and would I need to add it to props.conf or transforms.conf or something else?

  <diary_entry>
  <id>560494</id>
  <entry_time>2011-08-25 12:36:00 UTC</entry_time>
  <blood_glucose>15.4</blood_glucose>
  <carbohydrate_portions>5</carbohydrate_portions>
  <quick_insulin>3</quick_insulin>
  <background_insulin></background_insulin>
  <ratio>1:1</ratio>
  <entry_type>CORR</entry_type>
  <target_min_bg>4.5</target_min_bg>
  <target_max_bg>7.5</target_max_bg>
  <ketones></ketones>
  <comments></comments>
  <injection_site>Stomach</injection_site>
  <updated_at>2011-08-25 22:44:02 UTC</updated_at>
</diary_entry>

Ayn · ‎08-15-2012

You need to add it as a LINE_BREAKER directive in props.conf. Like this:

[yoursourcetype]
LINE_BREAKER = ([\r\n]+)<diary_entry>

View solution in original post

Ayn · ‎08-15-2012

You need to add it as a LINE_BREAKER directive in props.conf. Like this:

[yoursourcetype]
LINE_BREAKER = ([\r\n]+)<diary_entry>

kristian_kolb · ‎08-15-2012

Already indexed data will not be altered by this operation. Any new data coming in should be broken into separate event according to your config.

j666gak · ‎08-15-2012

I have edited the props.conf and restarted the Splunk server but nothing has changed. Does the data need to be re-indexed?

j666gak · ‎08-15-2012

just trying it now and testing

Thanks

kristian_kolb · ‎08-15-2012

and don't forget to also set

SHOULD_LINEMERGE=false TIME_PREFIX=

note that the latter may not be required if your timestamps are parsed correctly without it.

Line breaks and regex help

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases