Hi All, Need a help on Line Break Regex and TIME_FORMAT on props.conf, I am ingesting sonarqube logs in to splunk for the below log details with the following source type, but got stuck with the Regex part.
Ce.log details:
2019.07.12 11:05:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Deleting any worn out task
2019.07.12 11:05:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Resetting state of tasks with unknown worker UUIDs
2019.07.12 11:15:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Deleting any worn out task
2019.07.12 11:15:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Resetting state of tasks with unknown worker UUIDs
2019.07.12 11:25:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Deleting any worn out task
2019.07.12 11:25:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Resetting state of tasks with unknown worker UUIDs
2019.07.12 11:35:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Deleting any worn out task
2019.07.12 11:35:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Resetting state of tasks with unknown worker UUIDs
2019.07.12 11:45:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Deleting any worn out task
2019.07.12 11:45:15 DEBUG ce[][o.s.c.c.CeCleaningSchedulerImpl] Resetting state of tasks with unknown worker UUIDs
Source type and stanza details:
**[sonarqube:ce]
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)\d+.\d+.\d+\s+\d+:\d+:\d+\s+\w+
TIME_FORMAT=%Y.%m.%d %H:%M:%S
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=19**
Access.log details:
x.x.x.x- - [11/Jul/2019:17:54:12 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWbCc71kFTVuzYd0BsSB&p=1&ps=500 HTTP/1.1" 200 288 "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACB"
x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWbCc74DFTVuzYd0BsTO&p=1&ps=500 HTTP/1.1" 200 - "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACC"
x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWqYLPh9Yaosnfiy-EtA&p=1&ps=500 HTTP/1.1" 200 3989 "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACD"
x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWkV46fXeS_Bw5qUD5wC&p=1&ps=500 HTTP/1.1" 200 - "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACE"
x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWbCc8AHFTVuzYd0BsWp&p=1&ps=500 HTTP/1.1" 200 - "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACF"
x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWbCc8LZFTVuzYd0Bsd5&p=1&ps=500 HTTP/1.1" 200 - "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACG"
x.x.x.x- - [11/Jul/2019:17:54:13 +0100] "GET /api/rules/search.protobuf?f=repo,name,severity,lang,internalKey,templateKey,params,actives,createdAt&activation=true&qprofile=AWoCWw4hDVsFMZYP1Pzs&p=1&ps=500 HTTP/1.1" 200 - "-" "ScannerMaven/X.X.X.XXXX/3.0.5" "XXXXXXs0y7TAACH"
**[sonarqube:access]
SHOULD_LINEMERGE=false
TIME_FORMAT= %d/%b/%Y:%H:%M:%S %Z
TIME_PREFIX= \d+.\d+.\d+.\d+\s+\-\s+\-\s+\[
MAX_TIMESTAMP_LOOKAHEAD=26
LINE_BREAKER =([\r\n]+)\d+.\d+.\d+.\d**
Need help on the above stanza's to parse the sonarqube data in splunk. Kindly guide me on this.
↧