https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175359#M50331 <P>Any problems with breaking the log into indvidual events? Or is it only regarding the field extraction?</P> Wed, 11 Dec 2013 17:59:46 GMT kristian_kolb 2013-12-11T17:59:46Z https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175358#M50330 <P>We are logging the following application network statistics. I want to be able to index the data into splunk so we can generate reports on it.</P> <P>The First line consists of the following fields:<BR /> timestamp, site name, remote server name , local server name</P> <P>Other lines of the same record consists of the following fields:<BR /> statistic name : message type : origin Node : statistic Value</P> <P>This is the actual log:</P> <P>1386704158913 SITE-A,remoteServer1,localhost<BR /> receivedMessages:AAA:NODE1:10<BR /> receivedMessages:BBB:NODE1:10<BR /> sentMessages:CCC:NODE2:10<BR /> discMessages:AAA:NODE1:1<BR /> discMessages:BBB:NODE2:1</P> <P>1386704158913 SITE-A,remoteServer2,localhost2<BR /> receivedMessages:FFF:NODE1:10<BR /> receivedMessages:GGG:NODE1:10<BR /> sentMessages:HHH:NODE2:10<BR /> discMessages:FFF:NODE1:1<BR /> discMessages:III:NODE2:1</P> <P>Is there a way to extract all the fields above from that log format?</P> <P>Thanks a lot.</P> Wed, 11 Dec 2013 17:49:02 GMT https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175358#M50330 lgmnemesis 2013-12-11T17:49:02Z https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175359#M50331 <P>Any problems with breaking the log into indvidual events? Or is it only regarding the field extraction?</P> Wed, 11 Dec 2013 17:59:46 GMT https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175359#M50331 kristian_kolb 2013-12-11T17:59:46Z https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175360#M50332 <P>If i break the log/lines into individual events, wont i loos the correlation between the first line (which consists of the event time stamp and other shared fields) and the other sub lines?</P> Wed, 11 Dec 2013 18:35:16 GMT https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175360#M50332 lgmnemesis 2013-12-11T18:35:16Z https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175361#M50333 <P>No, you should not break them into single-line events, for the exact reasons that you mention. My question was if you had succeeded in creating the (multi-line) events correctly in splunk.</P> Wed, 11 Dec 2013 21:07:40 GMT https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175361#M50333 kristian_kolb 2013-12-11T21:07:40Z https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175362#M50334 <P>You can easily do that by adjusting the line breaking in props.conf</P> <P>Have a play with regular expressions and the options under "Attributes that are available only when SHOULD_LINEMERGE is set to true" in</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0/Data/Indexmulti-lineevents">http://docs.splunk.com/Documentation/Splunk/6.0/Data/Indexmulti-lineevents</A></P> Thu, 12 Dec 2013 02:14:44 GMT https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175362#M50334 asimagu 2013-12-12T02:14:44Z https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175363#M50335 <P>Use Regext to extract the time, then MVEXPAND then you will be able to have the correlation. Then make the extractions.</P> Thu, 12 Dec 2013 06:30:43 GMT https://community.splunk.com/t5/Splunk-Search/extract-multi-lines-fields/m-p/175363#M50335 linu1988 2013-12-12T06:30:43Z