HOW TO USE LINE_BREAKER 3?

DuXa · ‎05-27-2015

Hello, I have logs with some events. My events start from:"main: number of bytes received: " and finish to:"msgsnd_w_retry [dst task: COMMSINT, time: 27/03/2011 09:48:31.0157]: Send msg to queue 34504712". I use line Line breaker: "LINE_BREAKER= (^.)*+Send\s+msg\s+to\s+queue\s+\d* (\n)* (^.)*+\v*+\s*+main+:+\s*+number+\s*+of+\s*+bytes+\s*+received+:+\s*+\d" and I want to see only my event . But It doesn't not work. Help mу pls.

richgalloway · ‎05-27-2015

The LINE_BREAKER statement is an unquoted regex string that defines the text that comes between events. A capturing group is required and the contents of that group will be discarded. You probably want something like:

LINE_BREAKER = ([\r\n])main:

---
If this reply helps you, Karma would be appreciated.

DuXa · ‎05-27-2015

Yes, I want this, but i don't how how to write?

richgalloway · ‎05-27-2015

Use a site like regex101.com to find a regex string that finds the separators between your events. Put that regex string in your local/props.conf file under the appropriate stanza. Restart Splunk for the change to take effect.

---
If this reply helps you, Karma would be appreciated.

HOW TO USE LINE_BREAKER 3?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...