topic How can I break this two events? in Splunk Search

How can I break this two events?

prianticoy — Thu, 26 Nov 2015 20:08:05 GMT

Hello!!!

Can you help me to break this two events, they must separated with this expression

WORD WORD WORD

We have this two events, so please use them as an example:

SUBPROCESS Process Termination
------------------------------
Username:          ZZZZ              UIC:               [1,4]
Account:           WWWWWW            Finish time:       29-OCT-2015 00:00:09.15
Process ID:        DDDDDDDD          Start time:        29-OCT-2015 00:00:09.14
Owner ID:          AAAAAAAA          Elapsed time:                0 00:00:00.01
Terminal name:                       Processor time:              0 00:00:00.02
Remote node addr:                    Priority:          4
Remote node name:                    Privilege <31-00>: FFFFFFFF
Remote ID:                           Privilege <63-32>: FFFFFFFF
Remote full name:
Posix UID:         -2                Posix GID:         -2 (%XFFFFFFFE)
Queue entry:                         Final status code: 00000001
Queue name:
Job name:
Final status text: %SYSTEM-S-NORMAL, normal successful completion
Page faults:               81        Direct IO:                  5
Page fault reads:          21        Buffered IO:              120
Peak working set:        1616        Volumes mounted:            0
Peak page file:        171680        Images executed:            3

NETWORK Process Termination
---------------------------
Username:          XXXX              UIC:               [1,4]
Account:           XDXDXD            Finish time:       29-OCT-2015 00:00:09.16
Process ID:        YYYYYYYY          Start time:        29-OCT-2015 00:00:05.82
Owner ID:                            Elapsed time:                0 00:00:03.34
Terminal name:                       Processor time:              0 00:00:00.16
Remote node addr:                    Priority:          4
Remote node name:                    Privilege <31-00>: FFFFFFFF
Remote ID:         NRPE              Privilege <63-32>: FFFFFFFF
Remote full name:  161.131.194.38
Posix UID:         -2                Posix GID:         -2 (%XFFFFFFFE)
Queue entry:                         Final status code: 00000001
Queue name:
Job name:
Final status text: %SYSTEM-S-NORMAL, normal successful completion
Page faults:              408        Direct IO:                119
Page fault reads:         108        Buffered IO:              793
Peak working set:        6912        Volumes mounted:            0
Peak page file:        176720        Images executed:            7

Thanks for your help!!!

Re: How can I break this two events?

HiroshiSatoh — Fri, 27 Nov 2015 06:06:04 GMT

If you split the time index･･･

props.conf

  [your_events]
  BREAK_ONLY_BEFORE = NETWORK Process Termination

If you split the search statement･･･

  (your search)|eval wk_raw=replace(_raw,"NETWORK Process Termination","[break]NETWORK Process Termination") |makemv delim="[break]" wk_raw | mvexpand wk_raw|eval _raw=wk_raw

Re: How can I break this two events?

prianticoy — Tue, 29 Sep 2020 08:02:39 GMT

Thanks for your answer, but I can't use the complete phrase as line breaker because the words are changing during the different events. I already work in the props file with this command: BREAK_ONLY_BEFORE and a regular expression, and didn't work...

I can't split it in the search statement because I'm trying to define the sourcetype...

Do you have another idea?

Thanks again!!!