https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/597021#M104225 <P>Also for you thank you very much brother&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;</P> Mon, 09 May 2022 19:01:47 GMT zcx01067 2022-05-09T19:01:47Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/596830#M104182 <P>Hello, I have a multiline log file, but each file comes with a header that I want to discard and only use the part of the log that brings the important information, can someone help me.</P><P><U><STRONG>Here is the original log file:</STRONG></U></P><P>Audit file /oracle/SIC/AUDIT/SYS_OPERATIONS/ora_1695798.aud<BR />Oracle9i Enterprise Edition Release 9.2.0.8.0 - 64bit Production<BR />With the Partitioning option<BR />JServer Release 9.2.0.8.0 - Production<BR />ORACLE_HOME = /oracle/SIC/920_64<BR />System name: AIX<BR />Node name: duero<BR />Release: 3<BR />Version: 5<BR />Machine: 00CF214F4C00<BR />Instance name: SIC<BR />Redo thread mounted by this instance: 1<BR />Oracle process number: 37<BR />Unix process pid: 1695798, image: oracle@duero (TNS V1-V3)</P><P>Sat Mar 19 06:03:53 2022<BR />ACTION : 'CONNECT'<BR />DATABASE USER: '/'<BR />PRIVILEGE : SYSOPER<BR />CLIENT USER: orasic<BR />CLIENT TERMINAL:<BR />STATUS: 0</P><P>Sat Mar 19 06:03:53 2022<BR />ACTION : '/* BRARCHIVE */ CREATE PFILE = '/oracle/SIC/920_64/dbs/sap.ora' FROM SPFILE = '/oracle/SIC/920_64/dbs/spfileSIC.ora''<BR />DATABASE USER: '/'<BR />PRIVILEGE : SYSOPER<BR />CLIENT USER: orasic<BR />CLIENT TERMINAL:<BR />STATUS: 0</P><P>&nbsp;</P><P><U><STRONG>But I only need these parts of the log:</STRONG></U></P><P>Sat Mar 19 06:03:53 2022<BR />ACTION : 'CONNECT'<BR />DATABASE USER: '/'<BR />PRIVILEGE : SYSOPER<BR />CLIENT USER: orasic<BR />CLIENT TERMINAL:<BR />STATUS: 0</P><P>Sat Mar 19 06:03:53 2022<BR />ACTION : '/* BRARCHIVE */ CREATE PFILE = '/oracle/SIC/920_64/dbs/sap.ora' FROM SPFILE = '/oracle/SIC/920_64/dbs/spfileSIC.ora''<BR />DATABASE USER: '/'<BR />PRIVILEGE : SYSOPER<BR />CLIENT USER: orasic<BR />CLIENT TERMINAL:<BR />STATUS: 0</P> Sat, 07 May 2022 20:14:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/596830#M104182 zcx01067 2022-05-07T20:14:45Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/596838#M104183 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245609">@zcx01067</a>,</P><P>you have to follow the instructions at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A></P><P>in few words, add to your <STRONG>props.conf</STRONG></P><LI-CODE lang="markup">[your_sourcetype] TRANSFORMS-null = setnull</LI-CODE><P>and to your <STRONG>transforms.conf</STRONG></P><LI-CODE lang="markup">[setnull] REGEX = ^Audit\s+file\s+ DEST_KEY = queue FORMAT = nullQueue</LI-CODE><P>&nbsp;Ciao.</P><P>Giuseppe</P> Sun, 08 May 2022 05:22:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/596838#M104183 gcusello 2022-05-08T05:22:41Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/596847#M104184 <P>If I understand you correctly, the whole "header thing" is also a multiline "entity".</P><P>You could try setting proper event breaking, especially with BREAK_ONLY_BEFORE_DATE. That way you could check later as <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a> showed and discard anything that - for example - doesn't start with a date.</P> Sun, 08 May 2022 13:53:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/596847#M104184 PickleRick 2022-05-08T13:53:20Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/597020#M104224 <P>Hello <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;, I just tried your answer and it is exactly what I needed, thank you very much brother, a big hug from the Dominican Republic.</P> Mon, 09 May 2022 18:59:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/597020#M104224 zcx01067 2022-05-09T18:59:42Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/597021#M104225 <P>Also for you thank you very much brother&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;</P> Mon, 09 May 2022 19:01:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/597021#M104225 zcx01067 2022-05-09T19:01:47Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/597075#M104228 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245609">@zcx01067</a>,</P><P>good for you, see next time!</P><P>please accept the answer for the other people of Community</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the Contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 10 May 2022 06:07:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-break-a-multiline-log-by-discarding-the-header-and/m-p/597075#M104228 gcusello 2022-05-10T06:07:17Z