Solved: Re: Line Breaks

JDukeSplunk · ‎06-04-2018

I need a working line-breaker for this sourcetype .I could muck about trying to get this working on my own, or I could ask here since it seems pretty simple. All of the events end with "Message()"

Here's the raw scrubbed raw event and a screencap of how Splunk is picking it up.

Jun 4 12:25:34 10.111.111.111 [0x80c0003f][AlereSSOSPDebug][info] xmlfirewall(SSOAuditLogFW): trans(11111111)[request][10.111.1.11] gtid(111111111X1111xx11x1xxxx):
Jun 4 12:25:34 10.214.8.104 Timestamp(2018-06-04T12:25:34-04:00)
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 TransactionID(XXX-11111111)
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 ClientId(HealthxX 1111111)
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 UserInfo()
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 Status(0x00000000)
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 TimeTaken(V1_208_202_0_0_6)
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 Message()

sshelly_splunk · ‎06-04-2018

Use the following in props.conf for the sourcetype:
"SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = Message()$"

I tried w/your event data, and it worked for me.

View solution in original post

sshelly_splunk · ‎06-04-2018

Use the following in props.conf for the sourcetype:
"SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = Message()$"

I tried w/your event data, and it worked for me.

JDukeSplunk · ‎09-07-2018

Yours worked in 99% of the events. What I finally ended up with was a really long regex.

BREAK_ONLY_BEFORE = \w{3}\s\d{1,2}\s\d{1,2}\:\d{1,2}\:\d{1,2}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\[

Line Breaks

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...