- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: camera log line breaking
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey all,
so I'm trying to add our camera system logs to splunk but because of the formatting of the status logs it breaks it at the wrong spot. I've tried to specify custom line breakingg rules in the props file but I must be doing something wrong.
here is a sample log:
Device Status:
ctime=1392061339.198785
lcode=1 (NORMAL)
mcode=1 (NORMAL)
afpks=009830
afius=038551
Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288
iscount=64
Latest Data:
isnm=194206
ssnm=4134514
size=165465
Device Status:
ctime=1392061339.198785
lcode=1 (NORMAL)
mcode=1 (NORMAL)
afpks=009830
afius=038551
Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288
iscount=64
Latest Data:
isnm=194206
ssnm=4134514
size=165465
Device Status:
ctime=1392061339.198785
lcode=1 (NORMAL)
mcode=1 (NORMAL)
afpks=009830
afius=038551
Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288
splunk keeps trying to break on the "ctime=\d+.\d+" string but a full log runs from the "Device\sStatus:" line to just before the next "Device\sStatus:". so when it breaks on ctime i get twice as many logs with half of the information in each.
under the file match condition heading this is the line i added:
[source::.../status-data/*/*.status]
LINE_BREAKER = (Device\sStatus:)
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = false
thanks for the help guys!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with this props.conf setting.
[source::.../status-data/*/*.status]
BREAK_ONLY_BEFORE = Device Status
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = ctime=
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with this props.conf setting.
[source::.../status-data/*/*.status]
BREAK_ONLY_BEFORE = Device Status
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = ctime=
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this worked perfectly! also i realized that a part of my problem was that i was updating the props file on the forwarder, not the server, oops! thanks for your help!
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
