BREAK_ONLY_BEFORE
Hi guys !!
You all know that for creating any dashboards, reports , alerts etc. in Splunk we need some events. It is the responsibility of Splunk Developers. But for on-boarding, parsing and filtering some data in Splunk you have to be confident in handling the configurations files. For parsing some data we use props.conf and also we do parsing on the Heavy Forwarder(HF).Today we will show you how to break the events using BREAK_ONLY_BEFORE attribute. You have to use this attribute inside props.conf. You can find the props.conf in following path.
$SPLUNK_HOME$/etc/system/local
After that you have to configure the props.conf.
If you are using stand-alone system you can configure props.conf at the time of adding data into Splunk from the GUI.
See below we have given a sample data.
hi hello how are you? i am fine. also how you feel? are you speak in english however are you feel i send pic to you
We have saved this data into a file.
Follow the below steps :
Step 1:
Login to Splunk by your credentials.
Step 2:
You can see the Add Data option on the middle of the screen. Click on Add Data.
Step 3:
Select the method. We will upload some data from our local system. So click on Upload.
Step 4:
Click on Select File.
Step 5:
Select the file you want to upload. Here we have selected the file where we had saved our sample data. Click on Open.
Step 6:
After uploading the data click on Next.
Step 7:
Now you can Advanced option on the left side. Click on Advanced to configure props.conf. From here whatever you will write that will be saved in the props.conf file in the back end.
Step 8:
Now write attributes in Advanced option. How to use this command you can see below. Then click on Apply settings.
BREAK_ONLY_BEFORE = how SHOULD_LINEMERGE = true
Here we have written BREAK_ONLY_BEFORE = how and SHOULD_LINEMERGE = true then which line contains string ‘how’ , before that line event will be broken into another event.
But if the string which I have given means “how” is not there ,those line will merged with the previous event until it gets a new line which contain how.
NOTE: Use of hard-code value is not good. Because if some portion of any word matches with specified string then also it will work as above discussed manner. And then the attribute break upon it’s policy. So be careful when use hard code value.
Here we take a string say “how” whenever this string is matched then the line will be break upon it’s policy. Suppose a string “however” is coming in line then also this attribute will be working because “how” is also a part of “however”.
Hope, this has helped you in achieving the below requirement without fail:
BREAK_ONLY_BEFORE
Happy Splunking !!