https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519076#M146154 <P>Hi Splunkers,</P><P>&nbsp;</P><P>Can anyone please help with search time line break for the following log.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{"audits":[{"id":"000","version":1,"modified":"2020-09-11T12:28:44.351897585Z","sortValues":null,"action":{"JobID":"97979779797","Name":"TA"},"user":"x","object":"Jobs","type":"w","identifier":"0h0hh0h0hh"},{"id":"879789","version":1,"modified":"2020-09-11T12:27:46.568076802Z","sortValues":null,"action":{"JobID":"0000000"},"user":"KKK","object":"Jobs","type":"delete","identifier":""},{"id":"90808","version":1,"modified":"2020-09-11T12:25:04.808661137Z","sortValues":null,"action":{"JobID":"9889808088","Name":"KA"},"user":"uy","object":"Jobs","type":"add","identifier":"9878979797"},</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><FONT>I want to break the logs using<U><STRONG> <FONT>{"id.</FONT></STRONG></U></FONT></P><P>Thank you!</P><P>&nbsp;</P> Fri, 11 Sep 2020 14:16:30 GMT Abskal 2020-09-11T14:16:30Z https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519076#M146154 <P>Hi Splunkers,</P><P>&nbsp;</P><P>Can anyone please help with search time line break for the following log.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{"audits":[{"id":"000","version":1,"modified":"2020-09-11T12:28:44.351897585Z","sortValues":null,"action":{"JobID":"97979779797","Name":"TA"},"user":"x","object":"Jobs","type":"w","identifier":"0h0hh0h0hh"},{"id":"879789","version":1,"modified":"2020-09-11T12:27:46.568076802Z","sortValues":null,"action":{"JobID":"0000000"},"user":"KKK","object":"Jobs","type":"delete","identifier":""},{"id":"90808","version":1,"modified":"2020-09-11T12:25:04.808661137Z","sortValues":null,"action":{"JobID":"9889808088","Name":"KA"},"user":"uy","object":"Jobs","type":"add","identifier":"9878979797"},</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><FONT>I want to break the logs using<U><STRONG> <FONT>{"id.</FONT></STRONG></U></FONT></P><P>Thank you!</P><P>&nbsp;</P> Fri, 11 Sep 2020 14:16:30 GMT https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519076#M146154 Abskal 2020-09-11T14:16:30Z https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519099#M146159 <P>Are you trying to get each audit as a separate event?</P><LI-CODE lang="markup">| makeresults | eval event="{\"audits\":[{\"id\":\"000\",\"version\":1,\"modified\":\"2020-09-11T12:28:44.351897585Z\",\"sortValues\":null,\"action\":{\"JobID\":\"97979779797\",\"Name\":\"TA\"},\"user\":\"x\",\"object\":\"Jobs\",\"type\":\"w\",\"identifier\":\"0h0hh0h0hh\"},{\"id\":\"879789\",\"version\":1,\"modified\":\"2020-09-11T12:27:46.568076802Z\",\"sortValues\":null,\"action\":{\"JobID\":\"0000000\"},\"user\":\"KKK\",\"object\":\"Jobs\",\"type\":\"delete\",\"identifier\":\"\"},{\"id\":\"90808\",\"version\":1,\"modified\":\"2020-09-11T12:25:04.808661137Z\",\"sortValues\":null,\"action\":{\"JobID\":\"9889808088\",\"Name\":\"KA\"},\"user\":\"uy\",\"object\":\"Jobs\",\"type\":\"add\",\"identifier\":\"9878979797\"}]}" | spath input=event path=audits{} | rename audits{} as audits | mvexpand audits | fields audits | fields - _time</LI-CODE> Fri, 11 Sep 2020 15:08:06 GMT https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519099#M146159 ITWhisperer 2020-09-11T15:08:06Z https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519107#M146160 <LI-SPOILER>Thank you for your response, I am trying to do line<STRONG>&nbsp;</STRONG>break after&nbsp;<STRONG><STRONG> <SPAN>{"id":</SPAN></STRONG> </STRONG>, so that every entry that starts from <STRONG>"id":</STRONG> should appear in new line.&nbsp;</LI-SPOILER> Fri, 11 Sep 2020 15:28:04 GMT https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519107#M146160 Abskal 2020-09-11T15:28:04Z https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519125#M146165 <P>I am confused that what should be the "eval event="&nbsp; ? here as I know the&nbsp;<SPAN>field=_raw</SPAN>.</P> Fri, 11 Sep 2020 16:13:48 GMT https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519125#M146165 Abskal 2020-09-11T16:13:48Z https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519131#M146167 <P>eval event= is me just making some sample data - you can start with</P><LI-CODE lang="markup">... your search | spath path=audits{} | rename audits{} as audits | mvexpand audits | fields audits | fields - _time</LI-CODE> Fri, 11 Sep 2020 16:17:45 GMT https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519131#M146167 ITWhisperer 2020-09-11T16:17:45Z https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519135#M146169 <P>I tried the below query but no results.</P><P>&nbsp;</P><P><FONT>index=test_logs<BR />| spath path=audits{}<BR />| rename audits{} as audits<BR />| mvexpand audits<BR />| fields audits<BR />| fields - _time</FONT></P> Fri, 11 Sep 2020 16:32:07 GMT https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519135#M146169 Abskal 2020-09-11T16:32:07Z https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519141#M146172 <P>Can you provide a couple of sample events?</P><LI-CODE lang="markup">index=test_logs | head 2</LI-CODE> Fri, 11 Sep 2020 17:29:25 GMT https://community.splunk.com/t5/Splunk-Search/Search-time-line-break-using-REX/m-p/519141#M146172 ITWhisperer 2020-09-11T17:29:25Z