https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30389#M5301 <P>By default Splunk will break events by timestamp, allowing for multiline events. Something like this</P> <PRE><CODE>ERROR [timestamp1] [id1] long message here ERROR [timestamp2][id2] short message here </CODE></PRE> <P>will result in two events. In your example, you have five timestamps where three happen to be identical. You will get five events, one for each timestamp. This makes sense as the default configuration because different log events may happen at the same time but might be entirely unrelated to each other.</P> <P>In order to persuade Splunk to smush multiple timestamped lines into one event you would need an event-breaking pattern somewhere in the log to tell Splunk "every time you read this pattern you should start a new event". That would have to apply to single-line events in that source type as well.</P> Mon, 12 Nov 2012 09:23:10 GMT martin_mueller 2012-11-12T09:23:10Z https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30388#M5300 <P>On remote host I have a log file which contains mixed one line and multiline events in the following format</P> <PRE><CODE> ERROR [timestamp1] [id1] [message1_1] ERROR [timestamp1] [id1] [message1_2] ERROR [timestamp1] [id1] [message1_3] ERROR [timestamp2] [id2] [message2_1] ERROR [timestamp3] [id3] [message3_1] </CODE></PRE> <P>So, does splunk automagically treat multi lines with the same timestamp as one event block or should I use heavy forwarder to extract all events based on timestamp and id ?</P> Mon, 12 Nov 2012 08:46:04 GMT https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30388#M5300 jakubincloud 2012-11-12T08:46:04Z https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30389#M5301 <P>By default Splunk will break events by timestamp, allowing for multiline events. Something like this</P> <PRE><CODE>ERROR [timestamp1] [id1] long message here ERROR [timestamp2][id2] short message here </CODE></PRE> <P>will result in two events. In your example, you have five timestamps where three happen to be identical. You will get five events, one for each timestamp. This makes sense as the default configuration because different log events may happen at the same time but might be entirely unrelated to each other.</P> <P>In order to persuade Splunk to smush multiple timestamped lines into one event you would need an event-breaking pattern somewhere in the log to tell Splunk "every time you read this pattern you should start a new event". That would have to apply to single-line events in that source type as well.</P> Mon, 12 Nov 2012 09:23:10 GMT https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30389#M5301 martin_mueller 2012-11-12T09:23:10Z https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30390#M5302 <P>Yes, Splunk can divide multiline messages into logs, however in this case there is no simple pattern like text, so my question: can splunk group events based on regex or should put simple line dividing each message in logs</P> Mon, 12 Nov 2012 09:39:25 GMT https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30390#M5302 jakubincloud 2012-11-12T09:39:25Z https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30391#M5303 <P>By "pattern" I mean "regular expression". For example, if you start events every time the regular expression "f.o.o" matches, you need to specify this in props.conf for the source type:</P> <P>BREAK_ONLY_BEFORE=f.o.o</P> Mon, 28 Sep 2020 12:46:59 GMT https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30391#M5303 martin_mueller 2020-09-28T12:46:59Z https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30392#M5304 <P>but this is a simple regular expression when you look for a static text. What I would like to achieve is splunk to load text block from the log file:<BR /> ERROR [timestamp] [id1] line1<BR /> ERROR [timestamp] [id1] line2<BR /> and change it to event block with values <BR /> _time = timestamp, <BR /> id=[id1] <BR /> _raw=line1\nline2</P> Tue, 13 Nov 2012 11:06:03 GMT https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30392#M5304 jakubincloud 2012-11-13T11:06:03Z https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30393#M5305 <P>In order to achieve that you would need to strip out the duplicate timestamps and IDs for all subsequent lines prior to indexing. That's possible with a scripted input, you just need to implement the processing yourself. Splunk can do regex-based transformations before indexing, but recognizing the equality of your timestamps and IDs goes beyond the expressive power of regular expressions.</P> <P>An easier way would be to fix the logging to avoid the duplicate prefixes.</P> Tue, 13 Nov 2012 11:24:03 GMT https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30393#M5305 martin_mueller 2012-11-13T11:24:03Z https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30394#M5306 <P>Thanks for clarification</P> Tue, 13 Nov 2012 18:27:18 GMT https://community.splunk.com/t5/Getting-Data-In/Mixed-one-line-and-multiline-events/m-p/30394#M5306 jakubincloud 2012-11-13T18:27:18Z