https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55517#M708 <H3>1) Key-Value format</H3> <P>DB Connect formats the database results by generating key-value pairs in the form of <CODE>&lt;Column-Name&gt;=&lt;Column-Value&gt;</CODE>. The value is quoted if it contains certain characters. Those key value pairs are concatenated (seperated by a space). If <CODE>output.timestamp</CODE> is enabled, then the timestamp value will be printed at the beginning of the line.</P> <PRE><CODE>2013-04-05T15:00:23.000 ID=4711 username=wuzi123 message="User has been disabled" </CODE></PRE> <P>The sourcetype <CODE>dbmon:kv</CODE> contains the necessary index- and search-time settings to deal with this format. It can either be used directly (by simply omitting the sourcetype for the input) or by copying it's settings.</P> <PRE><CODE>[dbmon:kv] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) </CODE></PRE> <H3>2) Multiline Key-Value format</H3> <P>Essentially the same as the regular key-value format with the exception that the key-value pairs are seperated by a newline and there is no quoting of values.</P> <PRE><CODE>2013-04-05T15:00:23.000 ID=4711 username=wuzi123 message=User has been disabled </CODE></PRE> <P>The sourcetype <CODE>dbmon:mkv</CODE> contains the necessary index- and search-time settings.</P> <PRE><CODE>[dbmon:mkv] KV_MODE = none REPORT-mkv = dbx-mkv SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n]) LINE_BREAKER_LOOKBEHIND = 10000 </CODE></PRE> <H3>3) CSV</H3> <P>The values of the database result are format as comma separated values (regular CSV with quoting):</P> <PRE><CODE>2013-04-05T15:00:23.000,"4711","wuzi123","User has been disabled" </CODE></PRE> <P>The field extraction for this format has to be done manually. The best option here is a transforms.conf stanza with <CODE>FIELDS</CODE> and <CODE>DELIMS</CODE>.</P> <H3>3a) CSV with Headers</H3> <P>Does the same as CSV, but it will write the a header line into each file that is being generated containing a comma-separated list of the columns names from the database result.</P> <H3>4) Template</H3> <P>This format is the most flexible one, as it allows you to generate any format in the <CODE>output.template</CODE> option. The template should contain replacement tokens in the form of <CODE>$&lt;Column-Name&gt;$</CODE>. Those tokens are being replaced with the corresponding column value.</P> <P>Example Template:</P> <PRE><CODE>An even occurred at $timestamp$. User $user$ ID $ID$: $message$ </CODE></PRE> <P>would produce</P> <PRE><CODE>An even occurred at 2013-04-05T15:00:23.000. User wuzi123 ID 4711: User has been disabled </CODE></PRE> <P>DB Connect ships with a props.conf stanza that handles line-breaking for this format. The settings should be copied the sourcetype used for the database input.</P> <PRE><CODE>[source::...tpl_*.dbmonevt] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n]) HEADER_MODE = firstline </CODE></PRE> Fri, 05 Apr 2013 23:12:00 GMT ziegfried 2013-04-05T23:12:00Z https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55516#M707 <P><A href="http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Configuredatabasemonitoring">http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Configuredatabasemonitoring</A> does not describe what the different Output formats are doing.</P> <PRE><CODE>Output formatting These settings determine how the results are converted into a text-based format Splunk can index. Formats * Key-Value based * Multiline Key-Value based * CSV * Template based * Timestamp output </CODE></PRE> <P>Initially I chose Key-Value based assuming that DB Connect would create the Key from the Column name and the Value from the data in the column.</P> <P>I then noticed that varchar fields with new lines were being truncated.<BR /> To fix this I had to:</P> <UL> <LI>Delete all my Database Inputs</LI> <LI>Stop Splunk</LI> <LI>run <CODE>splunk clean eventdata</CODE></LI> <LI>Delete the persistent state for the Database Inputs (see <A href="http://splunk-base.splunk.com/answers/68572/splunk-db-connect-how-to-reset-tailrising-state">How to reset tail.rising</A>)</LI> <LI>Start Splunk</LI> <LI>Create all my Database Inputs - this time with "Multi-line Key-Value format"</LI> </UL> <P>So my question is: What do the different values of Output Format mean and can anyone provide guidance on when to select the different values? (Ideally this should be in the <A href="http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Configuredatabasemonitoring">Documentation - Configuring Database Monitoring</A></P> Fri, 08 Mar 2013 06:32:49 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55516#M707 baerrach 2013-03-08T06:32:49Z https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55517#M708 <H3>1) Key-Value format</H3> <P>DB Connect formats the database results by generating key-value pairs in the form of <CODE>&lt;Column-Name&gt;=&lt;Column-Value&gt;</CODE>. The value is quoted if it contains certain characters. Those key value pairs are concatenated (seperated by a space). If <CODE>output.timestamp</CODE> is enabled, then the timestamp value will be printed at the beginning of the line.</P> <PRE><CODE>2013-04-05T15:00:23.000 ID=4711 username=wuzi123 message="User has been disabled" </CODE></PRE> <P>The sourcetype <CODE>dbmon:kv</CODE> contains the necessary index- and search-time settings to deal with this format. It can either be used directly (by simply omitting the sourcetype for the input) or by copying it's settings.</P> <PRE><CODE>[dbmon:kv] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) </CODE></PRE> <H3>2) Multiline Key-Value format</H3> <P>Essentially the same as the regular key-value format with the exception that the key-value pairs are seperated by a newline and there is no quoting of values.</P> <PRE><CODE>2013-04-05T15:00:23.000 ID=4711 username=wuzi123 message=User has been disabled </CODE></PRE> <P>The sourcetype <CODE>dbmon:mkv</CODE> contains the necessary index- and search-time settings.</P> <PRE><CODE>[dbmon:mkv] KV_MODE = none REPORT-mkv = dbx-mkv SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n]) LINE_BREAKER_LOOKBEHIND = 10000 </CODE></PRE> <H3>3) CSV</H3> <P>The values of the database result are format as comma separated values (regular CSV with quoting):</P> <PRE><CODE>2013-04-05T15:00:23.000,"4711","wuzi123","User has been disabled" </CODE></PRE> <P>The field extraction for this format has to be done manually. The best option here is a transforms.conf stanza with <CODE>FIELDS</CODE> and <CODE>DELIMS</CODE>.</P> <H3>3a) CSV with Headers</H3> <P>Does the same as CSV, but it will write the a header line into each file that is being generated containing a comma-separated list of the columns names from the database result.</P> <H3>4) Template</H3> <P>This format is the most flexible one, as it allows you to generate any format in the <CODE>output.template</CODE> option. The template should contain replacement tokens in the form of <CODE>$&lt;Column-Name&gt;$</CODE>. Those tokens are being replaced with the corresponding column value.</P> <P>Example Template:</P> <PRE><CODE>An even occurred at $timestamp$. User $user$ ID $ID$: $message$ </CODE></PRE> <P>would produce</P> <PRE><CODE>An even occurred at 2013-04-05T15:00:23.000. User wuzi123 ID 4711: User has been disabled </CODE></PRE> <P>DB Connect ships with a props.conf stanza that handles line-breaking for this format. The settings should be copied the sourcetype used for the database input.</P> <PRE><CODE>[source::...tpl_*.dbmonevt] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n]) HEADER_MODE = firstline </CODE></PRE> Fri, 05 Apr 2013 23:12:00 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55517#M708 ziegfried 2013-04-05T23:12:00Z https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55518#M709 <P>Any updates to the answer when the column values contain newlines, i.e. from the original question "I then noticed that varchar fields with new lines were being truncated."</P> <P>For me only Multiline Key-Value based worked</P> Mon, 08 Apr 2013 10:23:24 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55518#M709 baerrach 2013-04-08T10:23:24Z https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55519#M710 <P>When using the CSV format, how does one link the inputs.conf and transforms.conf files? Should the respective files have identical stanza names?</P> Mon, 29 Jul 2013 16:39:05 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55519#M710 richgalloway 2013-07-29T16:39:05Z https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55520#M711 <P>Clear explanations with nice examples. Thanks!</P> Sun, 11 Jan 2015 04:30:22 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55520#M711 anwarmian 2015-01-11T04:30:22Z https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55521#M712 <P>Did you ever find a solution to the issue where column values contain new lines?</P> Wed, 27 Jan 2016 22:49:00 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-DB-Connect-Output-formatting-values-what-do-they-mean/m-p/55521#M712 jhambrick 2016-01-27T22:49:00Z