Getting Data In

linebreak on expression passed into log

fisuser1
Contributor

Trying to do a linebreak on "CIB" being passed into log. (I know, these logs are awful) Having problems breaking on the CIB expression though. Any suggestions? Splunk wants to break on OFX

SHOULD_LINEMERGE=false
LINE_BREAKER=(^(?P\w+\s+))
TZ=America/Chicago

Log Format:

CIB 2019-05-06 09:07:30,839] [THREAD: iner : 17] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: OFXHEADER:100
DATA:OFXSGML
VERSION:151
SECURITY:NONE
ENCODING:USASCII
Show all 9 lines

                   20190506090730.831         19640191         ctaxnqidzgkzuete1557133644150B1732PK0400         ENG                    426           051900395                  CIB         0200         Y         PROD                                 -2b777cc0:16a8c453ac4:-2a0a                                 051900395             87836273             CHECKING                                   20190506             20190506             Y             Y                                   

                   20190506090730.796         13927199         wlipfswymcgvelcy1557133638179B1182PK0400         ENG                    642           071901604                  CIB         0200         Y         PROD                                 -12f8b87f:16a8c39e671:-e19                                 071901604             3332930001             CHECKING                                   20190506             20190506             Y             Y                                   

CIB 2019-05-06 09:07:30,724] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: RQID:20190506140725.981_5323260_zoadfefhnclstbhc1557151644827B2797PK0900 user: null is authorized
CIB 2019-05-06 09:07:30,724] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Inside New Parser processing
CIB 2019-05-06 09:07:30,885] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: OFXHEADER:100
DATA:OFXSGML
VERSION:151
Show all 12 lines

CIB 2019-05-06 09:07:30,723] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: RQID:20190506140725.981_5323260_zoadfefhnclstbhc1557151644827B2797PK0900 OFXHEADER:100
DATA:OFXSGML
VERSION:151
SECURITY:NONE
ENCODING:USASCII
Show all 9 lines

                   20190506090730.708         9866661         vfhntpuabsayykui1557133650682B1172PK0400         ENG                    774           084201294                  CIB         0200         Y         PROD                                 -12f8b87f:16a8c39e671:-e1b                    19990101           Y           Y           N           Y           Y                        

                   20190506090730.670         11761432         zhecbsmbwliobrgk1557133646660B2948PK0400         ENG                    144           111102758                  CIB         0200         Y         PROD                                 -125ceb71:16a8c6053a2:-7e56         TRHST         500                                 111102758             261503081             CHECKING                                   20190410             20190506             Y                                   

                   20190506090730.647         8480130         yxsidmahmlailtri1557133622247B2718PK0400         ENG                    448           325081306                  CIB         0200         Y         PROD                                 -125ceb71:16a8c6053a2:-7e5a         ESP                    20180406           20190506                        2000510-1             LOAN                                   

                   20190506090730.639         8964814         ooaxvqjugedktndw1557133650611B2878PK0400         ENG                    092           211871691                  CIB         0200         Y         PROD                                 -12f8b87f:16a8c39e671:-e1f                    19990101           Y           Y           N           Y                        

                   20190506090730.633         8437258         yqfixwpbmjyuxycs1557133650578B2585PK0400         ENG                    158           071925567                  CIB         0200         Y         PROD                                 4c4e9ea8:16a8bfa5cde:-68b2                    19990101           Y           Y           N           Y                        

                   20190506090730.621         9516145         oaergmlhxnraymbb1557133647475B2893PK0400         ENG                    446           096010415                  CIB         0200         Y         PROD                                 -492b898c:16a8a6f9bd4:4ba5         TRHST         500                                 096010415             69833115             SAVINGS                                   20190429             20190506             Y                                   
0 Karma
1 Solution

maciep
Champion

Didn't test, but maybe something like this:

LINE_BREAKER = ([\r\n]+)(?=CIB\s+\d{4}\-\d{2}\-\d{2})

In general i typically include the line breakers in the capture group followed by the thing that starts each event in a positive lookahead.

View solution in original post

maciep
Champion

Didn't test, but maybe something like this:

LINE_BREAKER = ([\r\n]+)(?=CIB\s+\d{4}\-\d{2}\-\d{2})

In general i typically include the line breakers in the capture group followed by the thing that starts each event in a positive lookahead.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...