https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/599307#M208637 <P>here's what I came up with.&nbsp; seems to work pretty well without modifying the data:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw = "[abc] logline1 [def] logline 2 [ghi] logline 3" | eval raw=_raw | makemv tokenizer="(.*(\r\n|\r|\n|$))" raw | mvexpand raw | rename raw as _raw</LI-CODE> Wed, 25 May 2022 15:28:18 GMT msquicc 2022-05-25T15:28:18Z https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375464#M110321 <P>I have events that look like this:</P> <PRE><CODE>[abc] logline1 [def] logline 2 [ghi] logline 3 </CODE></PRE> <P>and I would like to split those events <STRONG>at search time</STRONG> into 3 single line events.<BR /> Is that possible?</P> <P>Thanks!</P> <P>P.S.<BR /> I Know this should be done at Indexer / Heavy Forwarder level using LINE_BREAKER, but that's not an option at this time.</P> Wed, 14 Feb 2018 17:26:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375464#M110321 aa123s 2018-02-14T17:26:52Z https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375465#M110322 <P>hello there,</P> <P>maybe try the <CODE>mvexpand</CODE> command<BR /> check i tout:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Mvexpand">https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Mvexpand</A></P> Wed, 14 Feb 2018 17:49:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375465#M110322 adonio 2018-02-14T17:49:09Z https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375466#M110323 <P>Before posting I tried this:<BR /> | rex mode=sed "s/([\r\n]+)/##LF##/g" | makemv _raw delim="##LF##" | mvexpand _raw</P> <P>but I couldn't make it work. Events are joined in a long string separated by ##LF##, but then those lines don't split back into separate events</P> Wed, 14 Feb 2018 19:14:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375466#M110323 aa123s 2018-02-14T19:14:34Z https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375467#M110324 <P>Try like this. The mvexpand command doesn't seem to work with fields starting with underscore.</P> <PRE><CODE>your base search | rex mode=sed "s/([\r\n]+)/##LF##/g" | makemv _raw delim="##LF##" | rename _raw as raw | mvexpand raw | rename raw as _raw </CODE></PRE> Wed, 14 Feb 2018 19:20:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375467#M110324 somesoni2 2018-02-14T19:20:21Z https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375468#M110325 <P>Referring to your previous question:</P> <P><A href="https://answers.splunk.com/answers/618398/why-is-splunk-not-breaking-each-log-line-into-sing.html#answer-619402">https://answers.splunk.com/answers/618398/why-is-splunk-not-breaking-each-log-line-into-sing.html#answer-619402</A></P> <P>I strongly suggest working now to get these logs indexed properly instead of trying to solve this problem at search time. You will end up being frustrated time and time again if your events are not indexed properly.</P> Wed, 14 Feb 2018 19:36:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375468#M110325 micahkemp 2018-02-14T19:36:14Z https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375469#M110326 <P>Super! Its <STRONG>almost</STRONG> working: the remaining problem is that lines are being re-grouped in reverse order... Could that be fixed? Thanks!</P> Wed, 14 Feb 2018 19:49:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375469#M110326 aa123s 2018-02-14T19:49:56Z https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375470#M110327 <P>I got that, Thanks. We are already working to add correct indexing at forwarder level. In the mean time, however, we need this workaround.</P> Wed, 14 Feb 2018 19:54:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375470#M110327 aa123s 2018-02-14T19:54:02Z https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375471#M110328 <P>I'm sorry my comment was incomplete. I meant rows are being re-grouped in reverse order when I pipe the output of your solution to <CODE>transaction</CODE> ...<BR /> It normally doesn't happen</P> Wed, 14 Feb 2018 19:58:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375471#M110328 aa123s 2018-02-14T19:58:36Z https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375472#M110329 <P>I ended up adding <CODE>| reverse</CODE> at the end... go figure why that happens!...<BR /> Thanks a lot!</P> Wed, 14 Feb 2018 20:05:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/375472#M110329 aa123s 2018-02-14T20:05:00Z https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/599307#M208637 <P>here's what I came up with.&nbsp; seems to work pretty well without modifying the data:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw = "[abc] logline1 [def] logline 2 [ghi] logline 3" | eval raw=_raw | makemv tokenizer="(.*(\r\n|\r|\n|$))" raw | mvexpand raw | rename raw as _raw</LI-CODE> Wed, 25 May 2022 15:28:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-multi-line-events-at-search-time/m-p/599307#M208637 msquicc 2022-05-25T15:28:18Z