Splunk Search

Is it possible to have multiple break_only_before regex for one sourcetype

freern
New Member

I'm currently working through each of my companies Java apps and updating their sourcetypes using transforms and regexing each sourcetype. With a few exceptions, most apps will have an app, access and audit log.

The one issue i've now run into is that one of the apps we use has several logs that would fall under the "app log" remit however, the log formatting is completely different so there is no way to use the standard regex we use for app logs.

for example, a standard app log would have each entry prefixed with the following date/time:

2020-02-10T00:02:39,851

The app i'm currently working on has an app log of:

Feb 10, 2020 10:40:03 AM GMT

Is it possible to have multiple BREAK_ONLY_BEFORE regexes for a sourcetype in props.conf? i'm trying to avoid having to create a brandnew sourcetype just for one apps app log.

i hope this question makes sense. please let me know if you need any more information.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You can have multiple BREAK_ONLY_BEFORE settings, but only one of them will be used.
You should be able to define a regex that uses the | operator to specify multiple matching criteria.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You can have multiple BREAK_ONLY_BEFORE settings, but only one of them will be used.
You should be able to define a regex that uses the | operator to specify multiple matching criteria.

---
If this reply helps you, Karma would be appreciated.

freern
New Member

Hi Rich,

So would something like the following work?

[ukis_sandman_app]
TRANSFORMS-changesourcetype = ukiss_sandman_app_regex_sourcetype
TIME_PREFIX=^
BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}.\d{2}:\d{2}:\d{2}.\d{3} | ^\w{3}\s\d{1,2},\s\d{4}\s\d{1,2}\:\d{2}\:\d{2}\s\w{2}
TRUNCATE=0
MAX_EVENTS=10000
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Test it in regex101.com, but I believe you need parentheses around each side of the | to ensure proper processing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...