Solved: Line breaks and regex help

j666gak · ‎08-15-2012

Hello,

I am having issues when Splunk is reading an XML file. I need Splunk to know that a transaction starts with and finishes with , instead of line breaks all over the place.

I'm not sure what the regex I need for this is? and would I need to add it to props.conf or transforms.conf or something else?

  <diary_entry>
  <id>560494</id>
  <entry_time>2011-08-25 12:36:00 UTC</entry_time>
  <blood_glucose>15.4</blood_glucose>
  <carbohydrate_portions>5</carbohydrate_portions>
  <quick_insulin>3</quick_insulin>
  <background_insulin></background_insulin>
  <ratio>1:1</ratio>
  <entry_type>CORR</entry_type>
  <target_min_bg>4.5</target_min_bg>
  <target_max_bg>7.5</target_max_bg>
  <ketones></ketones>
  <comments></comments>
  <injection_site>Stomach</injection_site>
  <updated_at>2011-08-25 22:44:02 UTC</updated_at>
</diary_entry>

Ayn · ‎08-15-2012

You need to add it as a LINE_BREAKER directive in props.conf. Like this:

[yoursourcetype]
LINE_BREAKER = ([\r\n]+)<diary_entry>

View solution in original post

Ayn · ‎08-15-2012

You need to add it as a LINE_BREAKER directive in props.conf. Like this:

[yoursourcetype]
LINE_BREAKER = ([\r\n]+)<diary_entry>

kristian_kolb · ‎08-15-2012

Already indexed data will not be altered by this operation. Any new data coming in should be broken into separate event according to your config.

j666gak · ‎08-15-2012

I have edited the props.conf and restarted the Splunk server but nothing has changed. Does the data need to be re-indexed?

j666gak · ‎08-15-2012

just trying it now and testing

Thanks

kristian_kolb · ‎08-15-2012

and don't forget to also set

SHOULD_LINEMERGE=false TIME_PREFIX=

note that the latter may not be required if your timestamps are parsed correctly without it.

Line breaks and regex help

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!