Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

event breaking not happening

pm2012
Explorer
2 weeks ago

HI SMEs,

 

I am having problem where logs coming from one of the syslog server are getting clubbed into one single raw event & not getting split. Sharing the below. Rather splitting it into 3 diff events it is coming under one single event. Kindly suggest any possible work around

 

Apr 14 17:30:50 172.10.10.10 %ASA-2-106006: Deny inbound UDP from 10.20.30.40/51785 to 172.10.10.10/162 on interface AI-VO-PVT
Apr 14 17:30:50 10.20.30.40 12812500: RP/0/RP0/CPU0:Apr 14 17:30:50.489 IST: ifmgr[301]: %PK-5-UPDOWN : Line protocol on Interface GigabitEthernet0/0/0/18, changed state to Down
Apr 14 17:30:50 10.225.124.136 TMNX: 258900 Base LOGGER-MINOR-tmnxLogFileDeleted-2009 [acct-log-id 18 file-id 22]: Log file cf3:\acttt\actof1822-20240414-075.xml.gz on compact flash cf3 has been deleted
Apr 14 17:30:50 10.20.30.40 12812502: RP/0/RP0/CPU0:Apr 14 17:30:50.493 IST: fia_driver[334]: %PLATFORM-2_FAULT : Interface GigabitEthernet0/0/0/18, Detected Local Fault

Labels (1)
Labels
Tags (1)
0 Karma
Reply

pm2012
Explorer
2 weeks ago

Yeah that's correct basically these are 4 events. I am putting the config taken from GUI below

pm2012_0-1714034945550.pngpm2012_1-1714034994632.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

The LINE_BREAKER setting requires a capture group.  The group is where events will be split.  Try this

LINE_BREAKER = ()\w{3}\s\d\d:\d\d
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

pm2012
Explorer
2 weeks ago

I check this however it was not matching. don't you think it should be as below

()\w{3}\s\d+\s+\d+\:\d+\:\d+\s+

However post updating this as well it is not working. Does it work only for new events post changes or the historical one as well? and how often it gets updated (the config changes)

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

Either regex should work.  BTW, it's not necessary to escape the colons.

Any change to props.conf only affects new data.  Config changes made in the UI take effect immediately; changes made to .conf files take effect after a restart.

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

That looks like 4 different events rather than 3.  Please confirm.

Please share the props.conf settings for that sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

pm2012
Explorer
2 weeks ago

Thanks @richgalloway please find the attached snaps as i am restricted to GUI 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...