https://community.splunk.com/t5/Splunk-Search/Extracting-tabular-information-using-KV-MODE/m-p/101284#M182838 <P>For a <CODE>LINE_BREAKER</CODE> that does not ever match, I use <CODE>LINE_BREAKER = (?!)</CODE></P> Thu, 03 Feb 2011 05:34:54 GMT gkanapathy 2011-02-03T05:34:54Z https://community.splunk.com/t5/Splunk-Search/Extracting-tabular-information-using-KV-MODE/m-p/101282#M182836 <P>Hello</P> <P>I have a search that uses multikv in the search command to take my tablular event and split it up into fields, as follows</P> <PRE>index=logchecker | multikv fields App LogFile FileCount FileSize LineCount MinDate MaxDate NoOfMinutes AveCharPerMinute</PRE> <P>This gives me an event on each line, with it picking up each field, so I can just then pass these fields to a "table" command and it comes out nicely. </P> <P>However, I'd like to find a way to do this automatically in props.conf to make things simpler. I looked it up and the documentation suggests just adding the following, but this doesn't seem to have any impact.</P> <PRE>KV_MODE = true CHECK_FOR_HEADER = true</PRE> <P>Is there something else I need to add? My input is basically a script which echos lines of data as it searches through logs, outputting a first line of headers. I've changed props.conf to merge all the data together so I can then split it correctly based on the headers. Current props.conf</P> <PRE> [logchecker] BREAK_ONLY_BEFORE = &lt;stuff&gt; DATETIME_CONFIG = CURRENT KV_MODE = multi CHECK_FOR_HEADER = true </PRE> <P>Current Output</P> <PRE>App,LogFile,FileCount,FileSize,LineCount,MinDate,MaxDate,NoOfMinutes,AveCharPerMinute ./configservice,vsol43a-6005,configservice.tc1.log, 21, 106659113, 845724,2010-04-06 06:24,2010-12-08 10:34,354490,300 ./configservice,vsol43a-6005,configservice.tp1.log, 9, 42589938, 284878,2010-01-19 09:03,2010-12-08 10:44,465221,91 </PRE> <P>Any ideas how I can do this extraction automatically?</P> <P>Thanks Hazel</P> Wed, 08 Dec 2010 19:06:14 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-tabular-information-using-KV-MODE/m-p/101282#M182836 Hazel 2010-12-08T19:06:14Z https://community.splunk.com/t5/Splunk-Search/Extracting-tabular-information-using-KV-MODE/m-p/101283#M182837 <P>Try using the following stanza in props.conf:</P> <PRE><CODE>[logchecker] SHOULD_LINEMERGE = false LINE_BREAKER = (ThiStringDoesNotExistInYourData) TRUNCATE = 100000 DATETIME_CONFIG = CURRENT KV_MODE = multi </CODE></PRE> <P>The first four lines of that stanza instruct Splunk to index the entire file content (up to 100KB, increase if necessary) as a single event and assign it the current timestamp. KV_MODE tells Splunk search to apply auto multikv to the events when they are retrieved from the index and before any further search time processing</P> Thu, 09 Dec 2010 02:10:04 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-tabular-information-using-KV-MODE/m-p/101283#M182837 Ledion_Bitincka 2010-12-09T02:10:04Z https://community.splunk.com/t5/Splunk-Search/Extracting-tabular-information-using-KV-MODE/m-p/101284#M182838 <P>For a <CODE>LINE_BREAKER</CODE> that does not ever match, I use <CODE>LINE_BREAKER = (?!)</CODE></P> Thu, 03 Feb 2011 05:34:54 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-tabular-information-using-KV-MODE/m-p/101284#M182838 gkanapathy 2011-02-03T05:34:54Z