We're trying to break up some log entries that look like:
2019-03-27 17:11:59.942 Request was not matched as were no stubs registered:
{
"url" : "/",
"absoluteUrl" : "http://localhost:8080/",
"method" : "GET",
"clientIp" : "127.0.0.1",
"headers" : {
"User-Agent" : "Wget",
"Connection" : "close",
"Host" : "localhost:8080"
},
"cookies" : { },
"browserProxyRequest" : false,
"loggedDate" : 1553706719942,
"bodyAsBase64" : "",
"body" : "",
"loggedDateString" : "2019-03-27T17:11:59Z",
"queryParams" : { }
}
Our props.conf looks like:
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = \d\d\d\d[-]\d\d[-]\d\d[ ]\d\d[:]\d\d[:]\d\d[.]\d\d\d
The trouble is, our Splunk result is breaking on every date. The above regex matches only the top date format in my regex tester.
So with the above data, Splunk is parsing it into:
Record 1:
2019-03-27 17:11:59.942 Request was not matched as were no stubs registered:
{
"url" : "/",
"absoluteUrl" : "http://localhost:8080/",
"method" : "GET",
"clientIp" : "127.0.0.1",
"headers" : {
"User-Agent" : "Wget",
"Connection" : "close",
"Host" : "localhost:8080"
},
"cookies" : { },
"browserProxyRequest" : false,
Record 2:
"loggedDate" : 1553706719942,
"bodyAsBase64" : "",
"body" : "",
Record 3:
"loggedDateString" : "2019-03-27T17:11:59Z",
"queryParams" : { }
}
That sure looks like it's using both BREAK_ONLY_BEFORE and BREAK_ONLY_BEFORE_DATE = true . We've tried adding BREAK_ONLY_BEFORE_DATE = false to the props.conf and it's still breaking up at all dates. I read in another Q that you cannot use both BREAK_ONLY_BEFORE and BREAK_ONLY_BEFORE_DATE in the same props.conf, how do we set it to not break at the other date instances?
... View more