- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- line-break issues in events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having issues with line break for some reason. I'm looking to break into individual line events. I've included the following in the specific apps props.conf. Any suggestions?
props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
raw data
y8200|ACH-NEW-R|05/16/2017|7|1|5|881.24|3|50.24|INC_ACH-NEW-R3-0516.PBS|05/16/2017|2|397|
y8200|ACH-NEW-R|05/16/2017|8|1|0|0.00|1|412.00|INC_ACH-NEW-R4-0516.PBS|05/16/2017|||
y8200|ACH-R|05/16/2017|1|1|27332|19348046.77|11142|10812534.28|INC_ACH-R1-0516.PBS|05/16/2017|5|33|
y8200|ACH-R|05/16/2017|2|1|43093|106558388.19|40396|117051987.96|INC_ACH-R2-0516.PBS|05/16/2017|||
y8200|ACH-R|05/16/2017|3|1|14949|6935959.69|5846|5575650.96|INC_ACH-R3-0516.PBS|05/16/2017||0|
y8200|ACH-R|05/16/2017|4|1|11145|2342435.86|4304|5653510.66|INC_ACH-R4-0516.PBS|05/16/2017|||
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
According to docs what you are doing should work fine, however it doesn't work for me as well.
For sample logs you have provided, the following worked fine:
props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ($)
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I gave a try again with LINE_BREAKER = ([\r\n]+) and It worked fine on version 6.5.3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
According to docs what you are doing should work fine, however it doesn't work for me as well.
For sample logs you have provided, the following worked fine:
props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ($)
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
working fine, But how.? could you please explain.?
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
1- Where is props.conf stored & let me know this change will impact all logs or specific log .
2- Can I enforce splunk to monitor log line by line using input.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf file location : $SPLUNK_HOME/etc/system/local
Inside the directory you find props.conf,in case if you don't have create new one with props.conf name.
Place that code inside file after restart the splunkd service.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
$ matches the end of the line, it is working the same like ^ with start of the line
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to:
- Make sure that the sourcetype in the stanza header matches EXACTLY the sourcetype of your data.
- Deploy this to each of your indexers
- Restart splunk on each indexer
- Test by searching ONLY against data indexed AFTER the deploy/restart (old data will stay broken)
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
