https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335258#M93646 <P>Hi all,</P> <P>I am trying to have a combination of SHOULD_LINEMERGE=true with filtering just to index some lines of the log file and diregards the others lines.</P> <P>Trying to use the below but not working</P> <P>[sourcetype] <BR /> TRANSFORMS-set= setnull,setparsing<BR /> SHOULD_LINEMERGE=true</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = lvsapsd<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>Part of the text of the log file:<BR /> S Doing: print 1591111lllllll<BR /> S lvsapsd -&gt; Print Job @&gt;SPOREQ:1597246@ S print job @&gt;SPOREQ:1597246@&lt;/1 has no list attributes<BR /> S replace user SAPSYS by 99718165 </P> <P>It is creating one event but not filtering just the second line. It is bringing all the lines.</P> <P>How I can combinate the usage of SHOULD_LINEMERGE with Filtering?</P> <P>Thanks and regards,<BR /> Danillo Pavan</P> Sat, 09 Dec 2017 20:22:32 GMT danillopavan 2017-12-09T20:22:32Z https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335258#M93646 <P>Hi all,</P> <P>I am trying to have a combination of SHOULD_LINEMERGE=true with filtering just to index some lines of the log file and diregards the others lines.</P> <P>Trying to use the below but not working</P> <P>[sourcetype] <BR /> TRANSFORMS-set= setnull,setparsing<BR /> SHOULD_LINEMERGE=true</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = lvsapsd<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>Part of the text of the log file:<BR /> S Doing: print 1591111lllllll<BR /> S lvsapsd -&gt; Print Job @&gt;SPOREQ:1597246@ S print job @&gt;SPOREQ:1597246@&lt;/1 has no list attributes<BR /> S replace user SAPSYS by 99718165 </P> <P>It is creating one event but not filtering just the second line. It is bringing all the lines.</P> <P>How I can combinate the usage of SHOULD_LINEMERGE with Filtering?</P> <P>Thanks and regards,<BR /> Danillo Pavan</P> Sat, 09 Dec 2017 20:22:32 GMT https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335258#M93646 danillopavan 2017-12-09T20:22:32Z https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335259#M93647 <P>Hi @danillopavan, </P> <P>Do you have any timestamps in your logs ? If not then Splunk considers both the line as one event. </P> <P>Try to break the lines in the props itself. </P> <P>[sourcetype] <BR /> TRANSFORMS-set= setnull,setparsing<BR /> SHOULD_LINEMERGE= false </P> <P>This will separate each line then write your transforms.conf as it is. </P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = lvsapsd<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> Tue, 12 Dec 2017 13:15:47 GMT https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335259#M93647 sandyIscream 2017-12-12T13:15:47Z https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335260#M93648 <P>Hi Sandy, thanks for your reply.</P> <P>I have a timestamps in the logs, however it is registering the time minute by minute and not event by event, so I am not using timestamps as delimiter. My idea is to consider multiple lines as one event, because of that i am using the command SHOULD_LINEMERGE = true, but my expectation is to have just some lines filtered in the unique event and not all lines. So i would like to know if it is possible to filter merged lines. I tried everything on my side and it is not working. Or all lines are indexed in only one event, or the lines are filtered however having one event for each filtered line.</P> <P>Still need help here.</P> <P>Thanks and regards,<BR /> Danillo Pavan</P> Tue, 12 Dec 2017 13:24:32 GMT https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335260#M93648 danillopavan 2017-12-12T13:24:32Z https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335261#M93649 <P>Any answer?</P> Sat, 16 Dec 2017 15:05:09 GMT https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335261#M93649 danillopavan 2017-12-16T15:05:09Z https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335262#M93650 <P>@danillopavan this seems similar to other question your have posted: <A href="https://answers.splunk.com/answers/597389/filtering-data-using-should-linemerge.html">https://answers.splunk.com/answers/597389/filtering-data-using-should-linemerge.html</A></P> <P>I would request you to consolidate required details against single question and keep only one of them open.</P> Sat, 16 Dec 2017 18:48:06 GMT https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335262#M93650 niketn 2017-12-16T18:48:06Z https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335263#M93651 <P>Closing this topic, keeping just the other one that I have created as it is similar:</P> <P><A href="https://answers.splunk.com/answers/597389/filtering-data-using-should-linemerge.html">https://answers.splunk.com/answers/597389/filtering-data-using-should-linemerge.html</A></P> Tue, 19 Dec 2017 20:59:53 GMT https://community.splunk.com/t5/Getting-Data-In/Combinate-SHOULD-LINEMERGE-with-Filtering/m-p/335263#M93651 danillopavan 2017-12-19T20:59:53Z