Getting Data In

Cannot get custom sourcetype to do line breaks correctly

bobryant
New Member

We have Splunk Enterprise with SH, Clustered IX (2), HF and many UFs. I have created an app in the deployment apps folder (with inputs.conf and props.conf) on deployment manager and deployed to server running UF. Ingestion begins as expected but does not line break as desired.

Log looks like this:
...........................
ipro Trace started on Thursday, July 12, 2018 at 8:16:12 PM Central Daylight Time(en-US)
Machine: P-XXXXXXX, Culture: en-US, UI Culture: en-US
Ini Settings:

20:16:12.672 Tid=4,Log file created.

20:16:12.679 Tid=4,Running module as Windows Service

20:16:12.680 Tid=4,Product version: 7.99.999.9331

20:16:12.813 Tid=9,Conn=1,ElapseMs=0,ipro:Received
RequestOnly, PingToClient, HeaderSize=4, DataSize=0

20:16:12.813 Tid=4,Conn=1,ElapseMs=1,ipro:Sent
RequestResponse, Connect, HeaderSize=43, DataSize=269
............................

Splunk appears to get that the date stamp is in the first row of the log file and that the time stamps appear at the beginning of each row. the problem is line breaking. I want it to break at each time stamp allowing for multi-line log entries to merge into one event.

I have tried a number of different options in the props.conf file and specified several different regex. Nothing I do seems to change the outcome. I wonder if I am deploying this correctly. It seems to randomly break lines, where most of the them time there are two or more log entries in each Splunk event. the number log entries in each event is not consistent so I do not know what it is breaking on.

Here is inputs.conf
...........................
[monitor://c:\ProgramData\XXX\XXXXXXX\ipro\XXXX\]
disabled = false
index = ipro
followtail = 0
sourcetype = appx:ipro
whitelist = \.txt$
ignoreOlderThan = 0d
...................................

here is props.conf
..................................
[appx:ipro]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = [0-9]{2}:[0-9]{2}:[0-9]{2}\.
DATETIME_CONFIG =
MAX_TIMESTAMP_LOOKAHEAD = 80
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
category = Custom
description = ipro logs
disabled = false
pulldown_type = true
........................................

Any suggestions would be helpful.

0 Karma

markusspitzli
Communicator

Hi @bobryant

You said that you put the inputs.conf and props.conf on the UF. is that correct?

If yes it's explainable why the linebreaking doesnt work. your props.conf should be located on the first Splunk Enterprise Instance. This instance is responsible for the parsing and will do the linebreaking and timestamp extraction. This can be either a HF or a Indexer.

I just noticed that you use the BREAK_ONLY_BEFORE parameters. I would exchange it with LINE_BREAKER and SHOULD_LINEMERGE=false . This way you get more performance out of Splunk and is also best practice doing that.

The config could look like this:

[appx:ipro]
LINE_BREAKER = ([\r\n]+)\d{2}:\d{2}:\d{2}\.\d{3}
MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...