https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325184#M176941 <P>This has been resolved. I was using the incorrect sourcetype.</P> Thu, 25 Jan 2018 14:26:48 GMT rmsit 2018-01-25T14:26:48Z https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325180#M176937 <P>Hi all,</P> <P>How would I go about merging multiple values on multiple lines so all values are captured? Currenlty, I am only seeing values from the first line. Data below.</P> <P>2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="135" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="svchost" PID="860"<BR /> 2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="443" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="System" PID="4"<BR /> 2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="445" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="System" PID="4"<BR /> 2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="3389" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="svchost" PID="2480"<BR /> 2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="4445" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="enstart64" PID="1760"<BR /> 2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="5985" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="System" PID="4"<BR /> 2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="8089" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="splunkd" PID="10180"</P> <P>Thanks!</P> Tue, 23 Jan 2018 19:53:44 GMT https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325180#M176937 rmsit 2018-01-23T19:53:44Z https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325181#M176938 <P>Do all these lines part of one Splunk event? OR they appear (each line with timestamp) as separate event?</P> Tue, 23 Jan 2018 20:03:43 GMT https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325181#M176938 somesoni2 2018-01-23T20:03:43Z https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325182#M176939 <P>Believe so. Each line begins with a timestamp and there are several values for the fields shown that appear on each line. This is a dump of the netstat -ano command on a Windows server. </P> Tue, 23 Jan 2018 20:14:14 GMT https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325182#M176939 rmsit 2018-01-23T20:14:14Z https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325183#M176940 <P>You can use props.conf to prevent line breaking but you will need a unique identifier at the end or beginning of your event. Then you can use RegEx to locate that identifier to group everything. </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.0.1/Data/Configureeventlinebreaking">https://docs.splunk.com/Documentation/Splunk/7.0.1/Data/Configureeventlinebreaking</A> </P> Thu, 25 Jan 2018 01:18:25 GMT https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325183#M176940 JordanPeterson 2018-01-25T01:18:25Z https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325184#M176941 <P>This has been resolved. I was using the incorrect sourcetype.</P> Thu, 25 Jan 2018 14:26:48 GMT https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325184#M176941 rmsit 2018-01-25T14:26:48Z https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325185#M176942 <P>Also answered here: <A href="https://answers.splunk.com/answers/552523/windows-netstat.html">link text</A></P> Thu, 25 Jan 2018 14:32:37 GMT https://community.splunk.com/t5/Splunk-Search/Line-break-or-merge/m-p/325185#M176942 rmsit 2018-01-25T14:32:37Z