Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on sourcetype customization for log parsing

jip31
Motivator
‎03-19-2021 02:15 AM

hello

I need to parse the kind of logs below

 

 

Microsoft Windows [version 10.0.18363.1198]
(c) 2019 Microsoft Corporation. Tous droits réservés.

C:\WINDOWS\system32>dir C:\Tools\F
 Le volume dans le lecteur C s’appelle OSDisk
 Le numéro de série du volume est 88FB-20D5

Répertoire de C:\Tools\F

05/10/2020  06:48                 0 ABD-UPDATED.$w$
06/09/2018  13:27                 0 Access Runtime 2013 (15.0_32b) EN.$w$
06/09/2018  13:27                 0 Access Runtime 2013 (15.0_32b) ENP00.$w$
06/09/2018  13:30                 0 Acrobat Reader DC (2015.006_32b) ML.$w$
06/09/2018  13:30                 0 Acrobat Reader DC (2015.006_32b) MLP00.$w$
01/10/2019  08:01                 0 User Data Backup (2.2_32b) ML.$w$
01/10/2019  08:01                 0 User Data Backup (2.2_32b) MLP01.$w$

 

 

I need to create events for lines just after

 

Répertoire de C:\Tools\F

 

It means that i need a new event for each timestamp and that I need to delete the first part of the log

how to do this please?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-19-2021 04:23 AM

Hi @jip31,

I suppose that the logs to parse are the output of a script.

So, you could try something like this:

[your_sourcetype]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-19-2021 02:24 AM

Hi @jip31,

let me understand: do you want to extract a field with the content of repertoire or to delete the other contents of the event before indexing?

if you want to extract the field, you can use a regex liek this:

| rex "(?ms)Répertoire de (?<repertoire>\w:(\\\w+)*)"

that you can test at https://regex101.com/r/TSuiwO/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-19-2021 02:48 AM

Hi

Thanks but my question is about how doing this directly at sourcetype level

For example, what I have to add in LINE_BREAKER or somewhere else for having this log correctly parsed

Except if I am mistaken you regex works only for search usage

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-19-2021 04:23 AM

Hi @jip31,

I suppose that the logs to parse are the output of a script.

So, you could try something like this:

[your_sourcetype]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-19-2021 05:54 AM

Thanks to you

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-19-2021 06:14 AM

Hi @jip31.,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

 

Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...