Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

can't figure out line breaks on a particular file I have

gregcain
Explorer
‎08-23-2016 01:52 PM

Hi There,

I have a log file that looks like this (where it says "blank line" is a blank line, not the words "blank line.")

blank line
Thu Aug 11 06:05PM paging-script.sh args: An Incident 
11111111 Initial. [Priority 2-High]. Cust:Last, First A (555) 111-2222 DC 5B: Problem Description: 555-555-5555 u
calling page-member.sh auxiliary-ta email@domain.com Incident 11111111 Initial. [Priority 2-High]. Cust:Last, First A (555) 555-5555 DC 5B: Problem Description: 555-555-5555
Thu Aug 11 06:05PM paging-script.sh is complete.
blank line

Every instance of this file share this format. A blank line, followed by the date on the opening line, a line of text, and the closing line, which also starts with the date. Each entry has a blank line before it, and a blank line after it.

Using regex of %a %b %d %R%p I can parse the timestamp, but that means that the first and third lines end up being different records. If I leave event breaks set to Auto, it puts the time stamp on different lines. If I use the regex, it does the same things.

How would I set the source type to use the date format to open and close this code?

Tags (1)
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-23-2016 03:17 PM

If your desired outcome is that you get exactly one event indexed that contains both timestamps, try this:

[yourSourcetype]
BREAK_ONLY_BEFORE = ^\r\n\w{3}\s\w{3}
KV_MODE = auto
NO_BINARY_CHECK = true
TIME_FORMAT = %a %b %d %R%p

In my test instance, this results in this output:
alt text

Preview file
1 KB
0 Karma
Reply

gregcain
Explorer
‎08-24-2016 09:23 AM

Hi There,

Thanks for the suggestions. However, it doesn't appear to work. It may be because you've only got one stanza from my file, whereas I have hundreds.

I copied and pasted your sourcetype, restarted splunk, and chose that sourcetype. The only differences between what you suggested, and what I find under advanced are:

CHARSET UTF-8
SHOULD_LINEMERGE true
disabled false

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-24-2016 10:36 AM

OK, so if you have multiple of these blank-line1-line2-blank groups and you want your events to be line1+line2=1 event, change BREAK_ONLY_BEFORE = \w{3}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}[AP]M\s\w+-\w+\.sh\sargs
This is assuming that your line1 always starts with a date, a .sh script name followed by a space and the string 'args'. If that is not the case, just modify the RegEx to reliably identify your line1.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-23-2016 01:58 PM

can you try something like this:

TIME_PREFIX = ^[\r\n]

if the blank line has some space char try this:

TIME_PREFIX = ^\s*[\r\n]
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

gregcain
Explorer
‎08-24-2016 10:07 AM

Hi There,

Thanks for the suggestion. Regretfully this didn't get any closer to a solution.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...