Spread our blog

Hi guys !!

You all know that for creating any dashboards, reports , alerts etc. in Splunk we need some events. It is the responsibility of Splunk Developers. But for on-boarding, parsing  and filtering some  data in Splunk you have to be confident  in handling the configurations files. For parsing some data we use props.conf and also we do parsing on the Heavy Forwarder(HF).Today we will show you how to break the events using BREAK_ONLY_BEFORE attribute. You have to use this attribute inside  props.conf. You can find the props.conf in following path.

$SPLUNK_HOME$/etc/system/local

After that you have to configure the props.conf.

If you are using stand-alone system you can configure props.conf at the time of adding data into Splunk from the GUI.

See below we have given a sample data.

hi
hello
how  are  you?
i am fine.
also how you feel?
are you speak in english
however are you feel
i send pic to you

We have saved this data into a file.

Follow the below steps :

Step 1:

Login to Splunk by your credentials.

Step 2:

You can see the Add Data option on the middle of the screen. Click on Add Data.

Step 3:

Select the method. We will upload some data from our local system. So click on Upload.

Step 4:

Click on Select File.

Step 5:

Select the file you want to upload. Here we have selected the file where we had saved our sample data. Click on Open.

Step 6:

After uploading the data click on Next.

Step 7:

Now you can Advanced option on the left side. Click on Advanced to configure props.conf. From here whatever you will write that will be saved in the props.conf file in the back end.

Step 8:

Now write attributes in Advanced option. How to use this command you can see below.­ Click on Apply settings.

MUST_BREAK_AFTER = how
SHOULD_LINEMERGE = true

Here we have written MUST_BREAK_AFTER = how and SHOULD_LINEMERGE = true then which line contain string ‘how’ , from the next  line it will be broken into another event. It will not break in middle of the line where it founds “how”.

But if the string which I have given means “how” is not there , that line or after that all  lines will be in  same event until it gets a event which contains “how”.

NOTE: Use of hard-code value is not good. Because if some portion of any word matches with specified string then also it will work as above discussed manner. And then the attribute break upon it’s policy. So be careful when use hard code value.

Here we take a string say how whenever  this string is matched then the line will be  break upon it’s  policy. Suppose a string however is coming in line then also this attribute will be working because how is also a part of “however”. 

Hope, this has helped you in achieving the below requirement without fail:

You can also know about :  HEC (Http Event Collector) with Syslog-NG :  Aggregated  and Scalable Data Collection Method in Splunk

MUST_BREAK_AFTER

Happy Splunking  !!

What’s your Reaction?
+1
+1
+1
+1
+1
2
+1
+1

Spread our blog
Previous articleBREAK_ONLY_BEFORE
Next articleEVENT_BREAKER_ENABLE & EVENT_BREAKER
splunkgeek
Passionate content developer dedicated to producing result-oriented content, a specialist in technical and marketing niche writing!! Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. It believes in offering insightful, educational, and valuable content and it's work reflects that.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here