Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me with props.conf in line breakage?

vrmandadi
Builder
‎09-18-2018 10:52 AM

link textI want to break the events where you see the bolded timestamps below, like 12:17:50.267,12:17:50.268 etc

Below is the sample event

12:17:50.267 [Output view job thread] INFO c.c.d.c.s.job.impl.JobServiceImpl - Preprocessing of job ActiveJob{id='33e60f2c-326e-4a43-b9e7-266d46453330', name='Export to "All Business Terms.xlsx".', user='8c6a6194-3283-4138-ad21-a63b9700a42f', state=RUNNING} done.12:17:50.268 [Output view job thread] INFO c.c.d.c.s.job.impl.JobServiceImpl - Transaction started for job ActiveJob{id='33e60f2c-326e-4a43-b9e7-266d46453330', name='Export to "All Business Terms.xlsx".', user='8c6a6194-3283-4138-ad21-a63b9700a42f', state=RUNNING}.12:17:50.382 [Output view job thread] INFO c.c.d.c.s.job.impl.JobServiceImpl - Job ActiveJob{id='33e60f2c-326e-4a43-b9e7-266d46453330', name='Export to "All Business Terms.xlsx".', user='8c6a6194-3283-4138-ad21-a63b9700a42f', state=RUNNING} done.

i am using the below props.conf

SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=\d{2}\:\d{2}\:\d{2}\.\d{3}
Preview file
1 KB
0 Karma
Reply

vrmandadi
Builder
‎09-20-2018 11:11 AM

I got it using line breaker helped

DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
LINE_BREAKER=(\d{2}:\d{2}:\d{2}.\d{3})

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2018 07:03 AM

Hi vrmandadi,
try this

SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=(\d{2}\:\d{2}\:\d{2}\.\d{3})

Bye.
Giuseppe

0 Karma
Reply

vrmandadi
Builder
‎09-19-2018 08:42 AM

It did not break,I will attach the raw data file in the question to see if that works ad that is the same thing I posted in the question

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2018 12:19 PM

Hi vrmandadi,
modify the regex in 

SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=(\d+:\d+:\d+\.\d+\s\[)

Bye.
Giuseppe

0 Karma
Reply

ssadanala1
Contributor
‎09-19-2018 06:37 AM

Here is props.conf for the File

SHOULD_LINEMERGE=false
TIME_PREFIX = ^
LINE_BREAKER = ([\r\n]+)\d{2}:\d{2}:\d{2}.\d{3}
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE = 10000
TIME_FORMAT = %H:%M:%S.%3Q
" Test and Validate before deploying"

Cheers

0 Karma
Reply

vrmandadi
Builder
‎09-19-2018 06:58 AM

I tested it,it is not working

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-18-2018 11:07 AM

hi @vrmandadi,

Could you be more clear about what you need help with? Thanks for posting!

0 Karma
Reply

vrmandadi
Builder
‎09-18-2018 11:20 AM

I want to break the events where you see the timestamp like 12:17:50.267,12:17:50.268 etc

0 Karma
Reply

vrmandadi
Builder
‎09-18-2018 11:51 AM

Am I clear or do I need to add more information

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...