How to line break at indent

bah5663_98 · ‎07-10-2019

I'm trying to split log4j Java exceptions. I need to split a large event into smaller events where an indent does not occur, except when there is a "caused by" clause. I know that I need to edit line_breaker in props.conf, but am not sure of the regex syntax.

So basically I need to know how to break at an indented line, but not one that is indented, with the exception being "Caused by".

com.matrixone.apps.domain.util.BHTBackgroundProcess.invokeInBackground(BHTBackgroundProcess.java:394) | 2019-07-05 03:07:25,692 | ERROR | Business object has no signature 'GoToSucceded'
    at matrix.db.BusinessObject.rejectSignature(BusinessObject.java:2656)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess.invokeInBackground(BHTBackgroundProcess.java:361)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess$CustomBackgroundProcessThread.run(BHTBackgroundProcess.java:65)
    at com.matrixone.threadpool.DefaultThreadPool.run(DefaultThreadPool.java:185)
    at java.lang.Thread.run(Unknown Source
Business object has no signature 'GoToSucceded'
    at com.matrixone.apps.domain.util.BHTBackgroundProcess$CustomBackgroundProcessThread.run(BHTBackgroundProcess.java:71)
    at com.matrixone.threadpool.DefaultThreadPool.run(DefaultThreadPool.java:185)
    at java.lang.Thread.run(Unknown Source)
java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess.invokeInBackground(BHTBackgroundProcess.java:315)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess$CustomBackgroundProcessThread.run(BHTBackgroundProcess.java:65)
    at com.matrixone.threadpool.DefaultThreadPool.run(DefaultThreadPool.java:185)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.Exception: Error Message: STEP validation fails for one or more STEP files checked-in to the derived format
    at com.bht.catia.batch.STEPValidation.StepValidationBatch.checkAndReleaseDerivedFormat(StepValidationBatch.java:439)
    at com.bht.catia.batch.STEPValidation.StepValidationBatch.processSTEPFilesValidation(StepValidationBatch.java:114)
    at com.bht.catia.batch.STEPValidation.StepValidationProxy.initiateSTEPValidationBackgroundJob(StepValidationProxy.java:79)
    ... 12 more
java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess.invokeInBackground(BHTBackgroundProcess.java:315)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess$CustomBackgroundProcessThread.run(BHTBackgroundProcess.java:65)
    at com.matrixone.threadpool.DefaultThreadPool.run(DefaultThreadPool.java:185)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.Exception: Error Message: STEP validation fails for one or more STEP files checked-in to the derived format
    at com.bht.catia.batch.STEPValidation.StepValidationBatch.checkAndReleaseDerivedFormat(StepValidationBatch.java:439)
    at com.bht.catia.batch.STEPValidation.StepValidationBatch.processSTEPFilesValidation(StepValidationBatch.java:114)
    at com.bht.catia.batch.STEPValidation.StepValidationProxy.initiateSTEPValidationBackgroundJob(StepValidationProxy.java:79)
    ... 12 more

I placed dashes where I need breaks.

woodcock · ‎07-13-2019

Like this:

SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)(?!\s|Caused by:)

ragedsparrow · ‎07-12-2019

Here is what I came up with based on your description:

 [<sourcetype>]
 DATETIME_CONFIG=CURRENT
 SHOULD_LINEMERGE=false
 LINE_BREAKER=([\r\n]+)[^\s|C]
 NO_BINARY_CHECK=true

If there is no other "non-indented" line that begins with "C", the above will work. It's hard to do an exclude in RegEx for a complete string.

Using your test data, I was able to get it to line break:

oscar84x · ‎07-10-2019

Try this as your line breaker regex:

()\s^[^\s|Caused by]

oscar84x · ‎07-11-2019

@bah5663_98. Please let me know if you've tried the regex above as your line breaker. I think it should work.

woodcock · ‎07-10-2019

show a stream of logs and indicate where they should (and should not) be broken.

bah5663_98 · ‎07-10-2019

I updated the question. The dashes are where breaks should occur. Thanks.

woodcock · ‎07-10-2019

We really need the text so that we can work with RegEx tools on your events. Pictures do not allow us to do that.

bah5663_98 · ‎07-10-2019

Sorry again. I added the text but the indented format is off. It usually looks as it does in the picture.

woodcock · ‎07-10-2019

The text isn't the same either, it does not contain "Business object". We cannot help you if you don't give us sample events that match your desired outcome mockup.

How to line break at indent

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!