https://community.splunk.com/t5/Splunk-Search/Multi-Line-event/m-p/26613#M177669 <P>Perfect!! Thank you so very much!!</P> Mon, 13 Jun 2011 23:32:35 GMT drawnsle 2011-06-13T23:32:35Z https://community.splunk.com/t5/Splunk-Search/Multi-Line-event/m-p/26611#M177667 <P>Sorry complete newbie, having trouble getting my head around splitting this log into distinct event. The default processing does an adequate job but does not split it that well. Attached is a series of events from the log each should be split by the following "( ['WSRoot' : 0x9c4ff598]"<BR /> Further clarification the splunk process seems to also split on the "CreationTime" field.</P> <P>This is an output currently being generated by WebSphere Message Broker. I am unaware of whether this is a custom output or a standard one from the product. Simply put I would like some help (preferably the answer) to split the events based on</P> <PRE><CODE>( ['WSRoot' : 0x9c4ff598] (0x01000000:Name ):Properties = ( ['WSPROPERTYPARSER' : 0x9e4395f8] (0x03000000:NameValue):MessageSet = '' (CHARACTER) (0x03000000:NameValue):MessageType = '' (CHARACTER) (0x03000000:NameValue):MessageFormat = '' (CHARACTER) (0x03000000:NameValue):Encoding = 546 (INTEGER) (0x03000000:NameValue):CodedCharSetId = 1208 (INTEGER) (0x03000000:NameValue):Transactional = FALSE (BOOLEAN) (0x03000000:NameValue):Persistence = FALSE (BOOLEAN) (0x03000000:NameValue):CreationTime = GMTTIMESTAMP '2010-09-21 09:01:12.483628' (GMTTIMESTAMP) (0x03000000:NameValue):ExpirationTime = -1 (INTEGER) (0x03000000:NameValue):Priority = 0 (INTEGER) (0x03000000:NameValue):ReplyIdentifier = X'000000000000000000000000000000000000000000000000' (BLOB) (0x03000000:NameValue):ReplyProtocol = 'MQ' (CHARACTER) (0x03000000:NameValue):Topic = NULL (0x03000000:NameValue):ContentType = 'text/xml; charset=utf-8' (CHARACTER) (0x03000000:NameValue):IdentitySourceType = '' (CHARACTER) (0x03000000:NameValue):IdentitySourceToken = '' (CHARACTER) (0x03000000:NameValue):IdentitySourcePassword = '' (CHARACTER) (0x03000000:NameValue):IdentitySourceIssuedBy = '' (CHARACTER) (0x03000000:NameValue):IdentityMappedType = '' (CHARACTER) (0x03000000:NameValue):IdentityMappedToken = '' (CHARACTER) (0x03000000:NameValue):IdentityMappedPassword = '' (CHARACTER) (0x03000000:NameValue):IdentityMappedIssuedBy = '' (CHARACTER) ) (0x01000000:Name ):HTTPResponseHeader = ( ['WSRSPHDR' : 0x9e205050] (0x03000000:NameValue):X-Original-HTTP-Status-Line = 'HTTP/1.1 200 OK' (CHARACTER) (0x03000000:NameValue):X-Original-HTTP-Status-Code = 200 (INTEGER) (0x03000000:NameValue):Date = 'Tue, 21 Sep 2010 09:01:04 GMT' (CHARACTER) (0x03000000:NameValue):Server = 'Microsoft-IIS/6.0' (CHARACTER) (0x03000000:NameValue):X-Powered-By = 'ASP.NET' (CHARACTER) (0x03000000:NameValue):X-AspNet-Version = '2.0.50727' (CHARACTER) (0x03000000:NameValue):Cache-Control = 'private, max-age=0' (CHARACTER) (0x03000000:NameValue):Content-Type = 'text/xml; charset=utf-8' (CHARACTER) (0x03000000:NameValue):Content-Length = '435' (CHARACTER) ) (0x01000000:Folder):XMLNSC = ( ['xmlnsc' : 0x9ebffcf0] (0x01000400:NamespaceDecl):XmlDeclaration = ( (0x03000100:Attribute):Version = '1.0' (CHARACTER) (0x03000100:Attribute):Encoding = 'utf-8' (CHARACTER) ) (0x01000000:Folder )http://schemas.xmlsoap.org/soap/envelope/:Envelope = ( (0x03000102:NamespaceDecl)http://www.w3.org/2000/xmlns/:soap = 'http://schemas.xmlsoap.org/soap/envelope/' (CHARACTER) (0x03000102:NamespaceDecl)http://www.w3.org/2000/xmlns/:xsi = 'http://www.w3.org/2001/XMLSchema-instance' (CHARACTER) (0x03000102:NamespaceDecl)http://www.w3.org/2000/xmlns/:xsd = 'http://www.w3.org/2001/XMLSchema' (CHARACTER) (0x01000000:Folder )http://schemas.xmlsoap.org/soap/envelope/:Body = ( (0x01000000:Folder)http://example.com/xmlns/lookupimport/:UpdateGoodsReceiptResponse = ( (0x03000102:NamespaceDecl):xmlns = 'http://example.com/xmlns/lookupimport/' (CHARACTER) (0x01000000:Folder )http://example.com/xmlns/lookupimport/:UpdateGoodsReceiptResult = ( (0x03000000:PCDataField)http://example.com/xmlns/lookupimport/:Success = 'true' (CHARACTER) ) ) ) ) ) ) </CODE></PRE> Mon, 13 Jun 2011 00:15:33 GMT https://community.splunk.com/t5/Splunk-Search/Multi-Line-event/m-p/26611#M177667 drawnsle 2011-06-13T00:15:33Z https://community.splunk.com/t5/Splunk-Search/Multi-Line-event/m-p/26612#M177668 <P>Drawnsle,</P> <P>You can achieve this using the <CODE>LINE_BREAKER</CODE> property:</P> <PRE><CODE>## props.conf [&lt;your_sourcetype&gt;] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\(\s+\[\'WSRoot\'\s+:\s+0x9c4ff598\] TIME_PREFIX = CreationTime\s+=\s+GMTTIMESTAMP\s+\' TIME_FORMAT = %Y-%m-%d %H:%M:%S.%6N TZ = GMT </CODE></PRE> <P>I have also added properties for timestamp extraction per CreationTime.<BR /> Consider adding <CODE>TRUNCATE=0</CODE> if your events are longer than 10000 bytes:</P> <PRE><CODE>TRUNCATE = &lt;non-negative integer&gt; * Change the default maximum line length (in bytes). * Although this is in bytes, line length is rounded down when this would otherwise land mid-character for multi-byte characters. * Set to 0 if you never want truncation (very long lines are, however, often a sign of garbage data). * Defaults to 10000 bytes. </CODE></PRE> Mon, 13 Jun 2011 16:30:28 GMT https://community.splunk.com/t5/Splunk-Search/Multi-Line-event/m-p/26612#M177668 hazekamp 2011-06-13T16:30:28Z https://community.splunk.com/t5/Splunk-Search/Multi-Line-event/m-p/26613#M177669 <P>Perfect!! Thank you so very much!!</P> Mon, 13 Jun 2011 23:32:35 GMT https://community.splunk.com/t5/Splunk-Search/Multi-Line-event/m-p/26613#M177669 drawnsle 2011-06-13T23:32:35Z