Depending on the needs of your organization and the types of logs coming from your Splunk server, you may want to implement custom delimiters in the client policy for your LCE Splunk Client.

By default, the LCE Splunk Client parses each line in a log as an event. Because not all logs captures events on a single line, delimiters can be implemented that allow the LCE Splunk Client to capture multiple lines and parse them as a single event. If a log had more than one event stored on a single line, you can implement delimiters that allow the LCE Splunk Client to parse multiple events from a single line.

Caution: Delimiters should only be implemented by advanced users with an understanding of ECMA regular expression grammar.

The LCE Splunk Client policy can include zero or more delimiters. Delimiters are not required. In the case that delimiters are included in the policy but do not match in a log, the LCE Splunk Client uses the default behavior of parsing each line in a log as an event.

Because logs from Splunk may come from many different sources, you can include multiple delimiters in your LCE Splunk Client policy to account for the different methods of logging.

There are several considerations when implementing client policy delimiters:

  • In the client policy, delimiters consist of Start and End expressions. The Start and End expressions are used to identify the starting and ending strings of the events you want to capture.

    For example, the default Start expression that appears in the policy is \d{1,2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} (A|P)M, which will match an event that starts with a value such as 06/15/2016 05:23:06 AM. The End expression is [^\r]\n, which matches a newline that is not preceded by a carriage return. This delimiter allows the LCE Splunk Client to capture multiple-line events from Windows logs.

  • Delimiters should be entered in order of priority. In the client policy, delimiters will be tested in the order they appear. If a delimiter is found to be valid for a log (i. e., the Start expression matches), no subsequent delimiters will be applied. Only one delimiter will be applied to a log.
  • Delimiters must be entered using ECMA regular expression grammar.
  • If a delimiter is used and more than 50,000 bytes of data follows before the End expression is found, the incomplete result will be sent to the LCE server, and the LCE Splunk Client will continue with the next log.
  • After an event is captured, if it contains carriage returns or line feeds, they will be converted to spaces.