Hi .
I Have my data something like this...
SRFR10279A1 R10A1 R0033201 cdain LOW SDEDS1 C1600002 0 0 0 20140316 00002000 20140316 00000600 20140316 0
0000600 000000 NPROTTCP cdteipal01 00 04096 U15 ./TPULL/ /host/dsds/XXXXX/EIPAL
SRFR10279A1 R102A1 R0033201 cdmin LOW SDEDS1 C1600001 0 0 0 20140316 00001000 20140316 00000600 20140316 0
0000600 000000 NPROTTCP cdteipal01 00 04096 U15 ./TPUSAGE/EIPAL_USERDETAIL_PULL_20140316000002 /deds-host/ds/XXXXX/EIPAL
USION SION R0201 xfr_deds LOW SDEDS C1600001 0 0 0 20140316 00001000 20140316 00000600 20140316 0
0000600 000000 SSION cdtronm01 00 04096 U15 /host/wcadata/OUTGOING/XXX/./IPVS/
These are sample events .. all the event data is having two blank lines in b/w them....
Have tried something like this in my props.
[props]
BREAK_ONLY_BEFORE=[\r\n\]+\s
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
Firstly, your configs don't add up. BREAK_ONLY_BEFORE
only has meaning when SHOULD_LINEMERGE
is set to "true". Many times these kinds of problem arise in improper timestamp recognition.
Assuming that this is a single-line event, and that the "201403016 00002000" (in the first event) is the timestamp, meaning 2014-03-16 00:00:20,00, something like this could work;
props.conf
[your_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 250
TIME_PREFIX = ^\s*(\S+\s+){10}
TIME_FORMAT = %Y%m%d %H%M%S%2N
EDIT: fixed a typo in TIME_FORMAT
/k
its is multiline..i have 2 lines of data cotinously with 2 empty lines space b/w them..
err, I made a typo (in TIME_FORMAT
), but perhaps you spotted that and took the appropriate action.
Fixed it now.
Could you tell us more about your event format? single line, multi line?
Hi Kristian... thanks for ur update.. this even didnt work on my data 😞
Are these data spread over multiple lines or whole event appears in one line?