topic Re: Split logs with split in Getting Data In

Split logs with split

jrodriguezap — Mon, 28 Sep 2020 14:49:21 GMT

Hello everyone
Someone did this?, I'm trying to split the logs with a split, usually I get the following log:

Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected

But I wish I had this log divided as follows:

Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open

Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected

Someone who has achieved?
I tried: search ... | eval _raw=split(_raw,"Open;")
But I did not get 😞

Re: Split logs with split

gfuente — Fri, 20 Sep 2013 15:16:59 GMT

Hello

It seems that you are not indexing logs properly, as it should break events by timestamp, and then you already will get the events splited by time.

So, post your props.conf configuration for this sourcetype, so we can propose you the best way to index those events

Regards

Re: Split logs with split

jrodriguezap — Fri, 20 Sep 2013 15:24:56 GMT

Hello gfuente
This I want in a SEARCH

Re: Split logs with split

rturk — Fri, 20 Sep 2013 15:27:31 GMT

Hi jrodriguezap,

I think the issue here is with the configuration of your event breaking rather than using the split command. SHould the logs really be put together like that? If not, then you're going to need to play around with your props.conf to split them accordingly.

Using your example:

[your_sourcetype]
LINE_BREAKER=([;\r\n]+\s?)
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false

This may not be the ideal way to do it (I'm a bit tired right now), but it gives me the following results:

References:

Splunk Docs: http://docs.splunk.com/Documentation/Splunk/5.0.4/Data/Indexmulti-lineevents

Re: Split logs with split

jrodriguezap — Fri, 20 Sep 2013 15:38:42 GMT

Thank you very much R.Turk.
Tell me, and instead of separating by props.conf, that way you could do it in the SEARCH?

Re: Split logs with split

jrodriguezap — Sat, 21 Sep 2013 01:45:51 GMT

Hello.
You could do this with a SEARCH? It really, this log is the product of a TRANSACTION. Log is a more complex, but for simplicity I consult understanding this.
I hope I understand.

Thanks

Re: Split logs with split

rturk — Sat, 21 Sep 2013 02:08:59 GMT

It's not really clear what you're trying to do here I'm sorry. If the event that you provided is as you've posted, then data is not being brought into Splunk correctly and should be fixed.

If you're trying to process a merged event after a | transaction command has been applied, then I think you might be walking down the wrong path.

Ultimately it depends on:
- The nature of your raw event logs (they may need to be sanitised)
- What exactly you're trying to do.

Re: Split logs with split

jrodriguezap — Sat, 21 Sep 2013 02:56:02 GMT

Sorry, I tried to be a little more clear up an image, but requires more "Karma".
What happens is that I make a transaction ( SEARCH ... | transaction maxspan=24h Username IP), but I _raw bundles more than you'd like, staying well:

>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected  
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected

And would separate the _raw to look like this:

>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected  
>_raw 2
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
>_raw 3
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected

I tried to do with this: SEARCH ... | transaction maxspan=24h Username IP | eval _raw=split(_raw,"disconnected"), but it did not work

Re: Split logs with split

gfuente — Sat, 21 Sep 2013 08:15:53 GMT

Hello

What you have to do is change the way of doing the transaction.

Use this: transaction startswith="Session Open" endswith="Session disconnected"

Re: Split logs with split

adrianathome — Sun, 22 Sep 2013 15:11:56 GMT

Give this a try.

search ...|makemv delim=";" _raw |mvexpand _raw

Re: Split logs with split

rturk — Sun, 22 Sep 2013 23:54:34 GMT

Yep this will work, but be aware that both events will have an identical timestamp according to Splunk (Sep 20 00:37:19)

Re: Split logs with split

jrodriguezap — Mon, 23 Sep 2013 00:18:12 GMT

Thanks gfuente!
This helped me! Thank you all!
:)