https://community.splunk.com/t5/Getting-Data-In/Consume-Free-Form-text/m-p/103248#M21697 <P>You will need to instruct Splunk that this is a mulit-line event and also tell it where the line breakers are. Assuming that the TicketNum field is where a new event starts try this in your $SPLUNK_HOME/etc/system/local/props.conf:</P> <PRE><CODE>[yoursourcetype] SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE = ^TicketNum </CODE></PRE> Thu, 03 Nov 2011 16:51:19 GMT tgow 2011-11-03T16:51:19Z https://community.splunk.com/t5/Getting-Data-In/Consume-Free-Form-text/m-p/103245#M21694 <P>I have a help desk database in SQL Server that I want to export to log type files and have Splunk consume. I'm not having any trouble getting the data into Splunk but I can't seem to get Splunk to understand where the boundaries for each record/event is. I have defined my output as follows:<BR /> <PRE><BR /> TicketNum=000001<BR /> CustName=Bob Smith<BR /> CallDate=2011-11-01<BR /> Status=Closed<BR /> CallDesc=Mr. Smith had trouble accessing his hydro accelerator while in mimsy mode.<BR /> CallResolution=Told Mr. Smith that he had to be sure his vorbis was in gear<BR /> </PRE><BR /> Of course the CallDesc and CallResolution fields can be quite long. They contain copies of emails, comments and more. I have been careful to separate them with only line feeds. The only carriage return/linefeed is at the end of each record/event. There are 14 fields in each record/event. </P> <P>When I run a search on the raw data many of the records/events run together and they do not necessarily break at the end of a record/event. Yet others do. I have set the DELIMS="\n" in transforms.conf but it doesn't seem to help. </P> <P>Does anyone know how I can break these records/events out properly?</P> <P>Thanks</P> Thu, 03 Nov 2011 15:22:19 GMT https://community.splunk.com/t5/Getting-Data-In/Consume-Free-Form-text/m-p/103245#M21694 kmattern 2011-11-03T15:22:19Z https://community.splunk.com/t5/Getting-Data-In/Consume-Free-Form-text/m-p/103246#M21695 <P>Try using <CODE>DELIMS="([\r\n])+"</CODE> as there may be carriage returns and/or new lines. </P> <P>Hope this helps</P> <P><CODE>&gt; please upvote and accept answer if you find it useful - thanks!</CODE></P> Thu, 03 Nov 2011 15:36:18 GMT https://community.splunk.com/t5/Getting-Data-In/Consume-Free-Form-text/m-p/103246#M21695 _d_ 2011-11-03T15:36:18Z https://community.splunk.com/t5/Getting-Data-In/Consume-Free-Form-text/m-p/103247#M21696 <P>That didn't seem to do anything different. Maybe part of the problem is that in the free-form text theare are usually a number of dates. Emails are copied comppletely into these records and that includes the date and time of the email. I moved all of my date fields to the top of the event but that didn't seem to help either.</P> Thu, 03 Nov 2011 15:49:40 GMT https://community.splunk.com/t5/Getting-Data-In/Consume-Free-Form-text/m-p/103247#M21696 kmattern 2011-11-03T15:49:40Z https://community.splunk.com/t5/Getting-Data-In/Consume-Free-Form-text/m-p/103248#M21697 <P>You will need to instruct Splunk that this is a mulit-line event and also tell it where the line breakers are. Assuming that the TicketNum field is where a new event starts try this in your $SPLUNK_HOME/etc/system/local/props.conf:</P> <PRE><CODE>[yoursourcetype] SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE = ^TicketNum </CODE></PRE> Thu, 03 Nov 2011 16:51:19 GMT https://community.splunk.com/t5/Getting-Data-In/Consume-Free-Form-text/m-p/103248#M21697 tgow 2011-11-03T16:51:19Z