Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Line breaking : problem with blank lines ?

DavidCaputo
Path Finder
‎12-18-2019 01:32 AM

Hi experts,
I'm collecting logs wich look like this :

2019-12-18_09:51:42.982 [] [req-] INFO ParGideBS.getByCle bulletinDispatch.timeout 0ms
2019-12-18_09:51:42.983 [] [req-] INFO ParGideBS.getByCle bulletinDispatch.timeout 0ms
2019-12-18_09:51:42.984 [] [req-] INFO AttributionBullBS.findAllBullDispatchD1EtD2 bulletinDispatch.timeout 1ms
2019-12-18_09:51:42.985 [] [req-] INFO AttributionBullBS.findAllBullDispatchDiv bulletinDispatch.timeout 1ms
2019-12-18_09:51:42.987 [] [req-] INFO AttributionBullBS.findAllBullDispatchCtrl bulletinDispatch.timeout 1ms

2019-12-18_09:51:42.981 [] [req-] INFO ParGideBS.getByCle bulletinDispatch.timeout 1ms

2019-12-18_09:51:32.557 [] [req-] INFO ParamGideBS.getByCle bulletinDispatch.timeout 0ms
2019-12-18_09:51:32.557 [] [req-] INFO ParamGideBS.getByCle bulletinDispatch.timeout 0ms
2019-12-18_09:51:32.558 [] [req-] INFO AttributionBullBS.findAllBullDispatchD1EtD2 bulletinDispatch.timeout 0ms
2019-12-18_09:51:32.559 [] [req-] INFO AttributionBullBS.findAllBullDispatchDiv bulletinDispatch.timeout 0ms

2019-12-18_09:51:32.560 [] [req-] INFO AttributionBullBS.findAllBullDispatchCtrl bulletinDispatch.timeout 0ms

With this file, I'd like splunk to do a very simple thing : create 1 event for each line, but... I can't do it.

I tried these parameters in props.conf :
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = true
TIME_FORMAT=%Y-%m-%d_%H:%M:%S.%3N
TIME_PREFIX=^

or even :
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)

or :
BREAK_ONLY_BEFORE = ^

All these parameters work well when I test the file using the "add data" feature in Splunk web...
BUT... it doesn't work when I push the prop.conf file in my production environment.

In the example above, Splunk merge the 5th first lines in 1 event, then I have one line in an event and the last 5 lines in another event : it seems that Splunk organize the parsing with the blank lines in the file (= lines between 2 blank line are grouped in the same event).

Could someone help me on this case and provided the "magic" props to solve it ?
Many thanks

David

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidCaputo
Path Finder
‎12-18-2019 06:17 AM

Problem solved :

I declared in my props.conf [sourcetype_name ] and it seems that the problem was the space after the sourcetype name.
with [sourcetype_name], the parameters above work perfectly.

Sorry for that stupid mistake !
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DavidCaputo
Path Finder
‎12-18-2019 06:17 AM

Problem solved :

I declared in my props.conf [sourcetype_name ] and it seems that the problem was the space after the sourcetype name.
with [sourcetype_name], the parameters above work perfectly.

Sorry for that stupid mistake !
David

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...