BREAK_ONLY_BEFORE_DATE
Hi guys !!
You all know that for creating any dashboards, reports , alerts, etc in Splunk we need some events. It is the responsibility of Splunk Developers to build dashboards and create reports , alerts etc. But for on-boarding, parsing and filtering some data in Splunk, you have to be confident in handling the configuration files. For parsing some data we use props.conf and also we do parsing on the Heavy Forwarder(HF).Today we will show you how to break the events or lines using BREAK_ONLY_BEFORE_DATE attribute. You have to use this attribute inside props.conf. You can find the props.conf in following path.
$SPLUNK_HOME$/etc/system/local
After that you have to configure the props.conf.
If you are using stand-alone system you can configure props.conf at the time of adding data into Splunk from the GUI.
See below we have given a sample data:
Hi all, how are you? its been 2 days that is from 10/01/2019 10:02:20 to 13/01/2019 09:55:08 that we haven't been get in touch as we have to complete our training right. So from 23/01/2019 10:30:02 we will start our classes. So bye and have a nice day Smriti 13/02/2019 11:02:35
We have saved this data in a file.
Now follow the below steps:
STEP 1:
Login to Splunk by your credentials.
STEP 2:
You will see Add Data option on the middle of the screen. Click on Add Data.
STEP 3:
Select the method. We will upload some data from our local system. So click on Upload.
STEP 4:
Click on Select File.
STEP 5:
Select the file you want to upload. Here we have selected the file where we had saved our sample data. Click on Open.
STEP 6:
After uploading the data click on Next.
STEP 7:
Now you will see that our sample data will be automatically divided into different events before the lines in which date is present. It automatically divides by itself because the BREAK_ONLY_BEFORE_DATE is set to true by default.
STEP 8:
Now you can use Advanced option on the left side. Click on Advanced to configure props.conf. From here whatever you will write that will be saved in the props.conf file in the back end. Now the lines are already divided into different events in which the date is present.
STEP 9:
Now write attributes in Advanced option.
BREAK_ONLY_BEFORE_DATE= true
Click on Apply Settings.
STEP 10:
As we have written BREAK_ONLY_BEFORE_DATE= true. So it will break the lines before, into different events in which the dates are present. See the sample data. Whichever line it will find the date and time,that date and time will go to the _time. Now as it finds the date in lines number 3 ,6 and 8, so it will divide the lines before, into different events. So line number 1,2 and 3 will merge together in single event, line number 4,5 and 6 in another single event and line number 7 and 8 in another single event .
STEP 11:
Now write attribute:
BREAK_ONLY_BEFORE_DATE=false
Click on Apply Settings.
STEP 12:
As we have written BREAK_ONLY_BEFORE_DATE= false. It will break all the lines into different event. In whichever event the date and time is present, that date and time will go to the _time. In the lines where the date and time is not present, the system date and time will go the _time OR it will take the previous event’s _time.
Hope, this has helped you in achieving the below requirement without fail:
BREAK_ONLY_BEFORE_DATE
Happy Splunking !!
