Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Difficulty with linemerge and break_only

cwwirth
Explorer
‎12-09-2013 10:55 AM

I'm trying to get the following lines, all in the same text file on a Windows server, to show up as a single event in Splunk:

11/25/2013  12:00:10 PM     Engine version                          =   5600.1067
11/25/2013  12:00:10 PM     AntiVirus   DAT version                 =   7271.0
11/25/2013  12:00:10 PM     Number of detection signatures in EXTRA.DAT =   None
11/25/2013  12:00:10 PM     Names of detection signatures in EXTRA.DAT  =   None
11/25/2013  12:00:10 PM Scan Started    DOMAIN\PRINTING$    (managed) Server Full scan
11/25/2013  2:22:23 PM  Scan Summary    DOMAIN\PRINTING$    Scan Summary
11/25/2013  2:22:23 PM  Scan Summary    DOMAIN\PRINTING$    Processes scanned    : 49
11/25/2013  2:22:23 PM  Scan Summary    DOMAIN\PRINTING$    Processes detected   : 0
11/25/2013  2:22:23 PM  Scan Summary    DOMAIN\PRINTING$    Processes cleaned    : 0\

On the source server, I have an inputs.conf stanza calling out that file as its own sourcetype:

[monitor://c:\ProgramData\McAfee\DesktopProtection\OnDemandScanLog.txt]
sourcetype = McAfeeOnDemandScan

And on the indexer, I have a stanza in props.conf to (try) to merge these all into one event, breaking at the first line ("Engine" appears only in the first line in the file):

[McAfeeOnDemandScan]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = Engine

...yet each line still appears as its own event. Would anyone be so kind as to point me in the right direction?

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

emechler_splunk
Splunk Employee
Splunk Employee
‎12-09-2013 11:40 AM

This props.conf stanza worked great for me using your data sample:

[McAfeeOnDemandScan]
BREAK_ONLY_BEFORE=^\d+/\d+/\d+\s+\d+:\d+:\d+\s+Engine
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

emechler_splunk
Splunk Employee
Splunk Employee
‎12-09-2013 11:40 AM

This props.conf stanza worked great for me using your data sample:

[McAfeeOnDemandScan]
BREAK_ONLY_BEFORE=^\d+/\d+/\d+\s+\d+:\d+:\d+\s+Engine
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true

0 Karma
Reply
Solved! Jump to solution

cwwirth
Explorer
‎12-09-2013 11:57 AM

Yep, that works great for me too. Thanks!

0 Karma
Reply
Solved! Jump to solution

aelliott
Motivator
‎12-09-2013 11:07 AM

if they all start with a date and "engine version" you could potentially set it up to break only before a regex of the date and word Engine

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...