topic Re: Break Events from a single Event in Splunk Search

Break Events from a single Event

Shashank_87 — Tue, 19 Jun 2018 10:32:43 GMT

Hi, I have this weird logging from one of the application where it is logging multiple users in a single event with a different timestamp and a thread name. I am actually trying to find out number of logins per day but how do I extract this data of single events consist of multiple events.
Example - below is a single event contains the data for 2 users. How do I break it probably using the timestamp or threadname?

[catalina-exec-86] 19Jun18-11:31:00 INFO (test.java:31)-{"id":null,"clientip":"1.16.9.13","currentRuntimeId":"0","currentUserId":"0","currentUsername":"test@gmail.com","unixTimestamp":"988","verb":"POST","request":"/test/start","response":"0","bytes":null,"httpversion":null,"referrer":"https://test","uaString":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36","threadName":"thread12","actionName":"test","hasEnriched":"false","country":"test","enrichment.protocol":"test","enrichment.username":"test@gmail.com"}
[catalina-exec-38] 19Jun18-11:31:01 INFO (test.java:31)-{"id":null,"clientip":"12.1.96.18","currentRuntimeId":"0","currentUserId":"0","currentUsername":"test123@abc.com","unixTimestamp":"099","verb":"POST","request":"/test/start","response":"0","bytes":null,"httpversion":null,"referrer":"https://test","uaString":"Mozilla/5.0 (iPhone; CPU iPhone OS 11_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15F79","threadName":"thread24","actionName":"test","hasEnriched":"false","country":"test","enrichment.protocol":"test","enrichment.username":"test123@abc.com"}

Any help would be much appreciated.

Re: Break Events from a single Event

rteja9 — Tue, 29 Sep 2020 20:06:01 GMT

You need to line break the events into individual events. This can be done either on HF or on indexers.
Below is the document explaining how to enable event line breaking on Splunk,
https://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Configureeventlinebreaking

Basically Splunk auto line breaks based on timestamp value. But in your case as event doesn't start with timestamp, you need to explicitly specify line breaking configuration.
You can try below configuration,
props.conf
[]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE = ^[catalina-exec-

Re: Break Events from a single Event

s2_splunk — Tue, 29 Sep 2020 20:02:26 GMT

To confirm: I see two events (starting with [catalina-exec-nn]). Are you saying your log source does not have a carriage return/new line between the two?

This should do what you need if that's the case:
BREAK_ONLY_BEFORE = [catalina-exec-\d+]
TIME_FORMAT = %d%b%y-%H:%M:%S
TIME_PREFIX = [catalina-exec-\d+]\s

Re: Break Events from a single Event

skoelpin — Tue, 19 Jun 2018 21:31:15 GMT

You should use LINE_BREAKER over BREAK_ONLY_BEFORE and should stay away from SHOULD_LINEMERGE=true

Re: Break Events from a single Event

skoelpin — Tue, 19 Jun 2018 21:36:07 GMT

You need to apply base configs on your indexer(s) to break the events up

LINE_BREAKER=\[catalina-exec\-\d+\]
SHOULD_LINE_MERGE=false
TRUNCATE=1000

Restart splunkd on the indexer(s) after adding this

Re: Break Events from a single Event

Shashank_87 — Thu, 21 Jun 2018 11:07:45 GMT

Yes that worked perfectly. Thank you very much for the response

Re: Break Events from a single Event

skoelpin — Thu, 21 Jun 2018 14:59:26 GMT

Foolish...