https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418872#M73853 <P>You want to change the appearance of the raw events, or you want to extract the fields? Based on your example, I'm assuming the first.</P> <P>Not entirely sure why you'd want to format the raw events, but something like this should work:</P> <P>in props.conf</P> <PRE><CODE>[yoursourcetype] SEDCMD-0split_to_lines = s/,\s/\n/g SEDCMD-1strip_quotes = s/"//g SEDCMD-2add_quotes = s/^([^\r\n]+)/"\1"/ </CODE></PRE> <P>Example in the searchbar:</P> <PRE><CODE>| makeresults | eval _raw = "2018-12-04 01:51:08.330, LogDate=\"2018-12-04 01:51:08.33\", SessionId=\"abc\", MachineName=\"xyz\", LoggerName=\"def\", LogLevel=\"DEBUG\", MessageId=\"DumpCacheNames\", Message=\"def\", ApplicationId=\"fgd\", EndpointStack=\"abc\", LogInsertDate=\"date\"" | rex mode=sed "s/, /\n/g" | rex mode=sed "s/\"//g" | rex mode=sed "s/^([^\r\n]+)/\"\1\"/" </CODE></PRE> Tue, 04 Dec 2018 08:21:13 GMT FrankVl 2018-12-04T08:21:13Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418868#M73849 <P>How do you parse the below events?</P> <P>The events looks like :</P> <PRE><CODE>2018-12-04 01:51:08.330, LogDate="2018-12-04 01:51:08.33", SessionId="abc", MachineName="xyz", LoggerName="def", LogLevel="DEBUG", MessageId="DumpCacheNames", Message="def", ApplicationId="fgd", EndpointStack="abc", LogInsertDate="date" </CODE></PRE> <P>I need to show events as:</P> <PRE><CODE> "2018-12-04 01:51:08.330" SessionId=abc MachineName=xyz LoggerName=def LogLevel=DEBUG MessageId=DumpCacheNames Message=def ApplicationId=fgd EndpointStack=abc LogInsertDate=date </CODE></PRE> <P>Thanks !</P> Tue, 04 Dec 2018 07:47:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418868#M73849 vishaltaneja070 2018-12-04T07:47:21Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418869#M73850 <P>Try </P> <PRE><CODE>...|kv </CODE></PRE> <P>or in props.conf-</P> <PRE><CODE>KV_MODE = auto </CODE></PRE> Tue, 04 Dec 2018 07:55:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418869#M73850 493669 2018-12-04T07:55:49Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418870#M73851 <P>Nup didn't work. Any other suggestion?</P> Tue, 04 Dec 2018 08:02:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418870#M73851 vishaltaneja070 2018-12-04T08:02:15Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418871#M73852 <P>i tried with sample data and it is working as expected</P> <PRE><CODE>| makeresults |eval _raw="\"2018-12-04 01:51:08.330\" SessionId=abc MachineName=xyz LoggerName=def LogLevel=DEBUG MessageId=DumpCacheNames Message=def ApplicationId=fgd EndpointStack=abc LogInsertDate=date"| kv </CODE></PRE> Tue, 04 Dec 2018 08:15:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418871#M73852 493669 2018-12-04T08:15:24Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418872#M73853 <P>You want to change the appearance of the raw events, or you want to extract the fields? Based on your example, I'm assuming the first.</P> <P>Not entirely sure why you'd want to format the raw events, but something like this should work:</P> <P>in props.conf</P> <PRE><CODE>[yoursourcetype] SEDCMD-0split_to_lines = s/,\s/\n/g SEDCMD-1strip_quotes = s/"//g SEDCMD-2add_quotes = s/^([^\r\n]+)/"\1"/ </CODE></PRE> <P>Example in the searchbar:</P> <PRE><CODE>| makeresults | eval _raw = "2018-12-04 01:51:08.330, LogDate=\"2018-12-04 01:51:08.33\", SessionId=\"abc\", MachineName=\"xyz\", LoggerName=\"def\", LogLevel=\"DEBUG\", MessageId=\"DumpCacheNames\", Message=\"def\", ApplicationId=\"fgd\", EndpointStack=\"abc\", LogInsertDate=\"date\"" | rex mode=sed "s/, /\n/g" | rex mode=sed "s/\"//g" | rex mode=sed "s/^([^\r\n]+)/\"\1\"/" </CODE></PRE> Tue, 04 Dec 2018 08:21:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418872#M73853 FrankVl 2018-12-04T08:21:13Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418873#M73854 <P>Try with this string </P> <PRE><CODE>2018-12-04 01:51:08.330, LogDate="2018-12-04 01:51:08.33", SessionId="abc", MachineName="xyz", LoggerName="def", LogLevel="DEBUG", MessageId="DumpCacheNames", Message="def", ApplicationId="fgd", EndpointStack="abc", LogInsertDate="date" </CODE></PRE> Tue, 04 Dec 2018 09:51:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418873#M73854 vishaltaneja070 2018-12-04T09:51:32Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418874#M73855 <P>@FrankVl <BR /> Great Buddy. It worked. Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>I want to change the appearance, it is already available in DB connect v1. </P> Tue, 04 Dec 2018 10:09:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-multiline-key-value-events/m-p/418874#M73855 vishaltaneja070 2018-12-04T10:09:01Z