LINE_BREAKER

LINE_BREAKER

Hi guys !!

You all know that for creating any dashboards, reports , alerts etc. in Splunk we need some events. It is the responsibility of Splunk Developers to build dashboards or creating reports , alerts etc. But for on-boarding, parsing  and filtering some  data in Splunk you have to be confident  in handling the configurations files. For parsing some data we use props.conf and also we do parsing on the Heavy Forwarder(HF).Today we will show you how to break the events or lines using LINE_BREAKER attribute. You have to use this attribute inside  props.conf. You can find the props.conf in following path.

$SPLUNK_HOME$/etc/system/local

After that you have to configure the props.conf.

If you are using stand-alone system you can configure props.conf at the time of adding data into Splunk from the GUI.

See below we have given a sample data.

Hi today we wil gonna show
you ]] how , to do line break.
so to do that we need, 4 - lines
and for that 4 - lines we will
write some regular expressions.
There are basically 2 ways of line breaking
so we will show you that 2 - ways.

We have saved this data into a file.

Follow the below steps :

Step 1:
Login to Splunk by your credentials.

Step 2:
You can see the Add Data option on the middle of the screen. Click on Add Data.

Step 3:
Select the method. We will upload some data from our local system. So click on Upload.

Step 4:
Click on Select File.

Step 5:
Select the file you want to upload. Here we have selected the file where we had saved our sample data. Click on Open.

Step 6:
After uploading the data click on Next.

Step 7:
Now you can Advanced option on the left side. Click on Advanced to configure props.conf. From here whatever you will write that will be saved in the props.conf file in the back end.

Step 8:
Now write attributes in Advanced option. There are two conditions in LINE_BREAKER.

Condition 1:

SHOULD_LINEMERGE = false
LINE_BREAKER = (\d+\s+\W+)

Here we have written SHOULD_LINEMERGE = false so it will break the line and create a new event where it will find the regular expression (combination Digit+Space+Any non-alphanumeric character). Also you must have to specify regular expression in between brackets. Here specified regular expression will work like delimiters.  See the sample data it finds the regular expression in lines number 3 ,4 and 6 .Click on Apply settings. Now you can see the events where it finds that regular expression after that it will break the line and creates a new event. Also delimiter part will not be shown after parsing.

Condition 2:

SHOULD_LINEMERGE = true
LINE_BREAKER = (\d+\s+\W+)

Here we have written SHOULD_LINEMERGE = true so it will break the line and create a new line in the same event where it will find the regular expression (combination Digit+Space+Any non-alphanumeric character). Also you must have to specify regular expression in between brackets. Here specified regular expression will work like delimiters.  See the sample data, it finds the regular expression in lines number 3 ,4 and 6 . Click on Apply settings. Now you can see the event where it finds that regular expression after that it breaks the line and creates a new line in the same event. Also delimiter part will not be shown after parsing.

Hope, this has helped you in achieving the below requirement without fail:

LLNE_BREAKER

Happy Splunking  !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.