https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-structured-field-extraction-PSV-in-this/m-p/229428#M67935 <P>If it works for you, you should convert this comment to an answer and mark it as accepted, so others can see your problem is fixed <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 14 Jan 2016 08:25:56 GMT DMohn 2016-01-14T08:25:56Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-structured-field-extraction-PSV-in-this/m-p/229426#M67933 <P>Hi There,</P> <P>I have been trying with no luck today to do a structured field extraction using the "Add Data" function of my test environment:<BR /> Splunk Version 6.3.1<BR /> RHEL</P> <P>The data looks something like this:</P> <PRE><CODE>2016-01-11 08:22:11.048 +10:00|SDLC||someuniquedata|Appname|ver|11|Information| Single line message 2016-01-11 08:22:12.249 +10:00|SDLC||someuniquedata|Appname|ver|11|Warning| multi-line message part 1 multi-line message part 2 multi-line message part 3 2016-01-11 08:22:26.227 +10:00|SDLC||someuniquedata|Appname|ver|48|Information| Single line message </CODE></PRE> <P>But when I configure the parameters to do a PSV field extraction, the multiline message part 2 and 3 lines are created as separate events. At this point, since I have used many combinations of <CODE>SHOULD_LINEMERGE</CODE> ( and dependent config options such as <CODE>BREAK_ONLY_*</CODE>) and <CODE>LINE_BREAK</CODE> to no avail, I am left with the sinking feeling that this is just the way this type of structured data is handled...</P> <P>Is there something else (perhaps outside of the gui) that I could try?</P> <P>Regards,<BR /> Luke </P> Tue, 12 Jan 2016 08:08:04 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-structured-field-extraction-PSV-in-this/m-p/229426#M67933 ljolly 2016-01-12T08:08:04Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-structured-field-extraction-PSV-in-this/m-p/229427#M67934 <P>I managed to answer my own question, which is nice. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>props.conf</P> <PRE><CODE>[psv-iis] SHOULD_LINEMERGE = true NO_BINARY_CHECK = true category = Custom disabled = false REPORT-extractpsv = extractpsv-iis pulldown_type = true </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[extractpsv-iis] DELIMS = "|" FIELDS = Timestamp , Environment , ClientIP , CorrelationId , ApplicationName , ApplicationVersion , ThreadId , Level , Message </CODE></PRE> <P>Regards,<BR /> Luke</P> Wed, 13 Jan 2016 04:38:28 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-structured-field-extraction-PSV-in-this/m-p/229427#M67934 ljolly 2016-01-13T04:38:28Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-structured-field-extraction-PSV-in-this/m-p/229428#M67935 <P>If it works for you, you should convert this comment to an answer and mark it as accepted, so others can see your problem is fixed <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 14 Jan 2016 08:25:56 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-structured-field-extraction-PSV-in-this/m-p/229428#M67935 DMohn 2016-01-14T08:25:56Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-structured-field-extraction-PSV-in-this/m-p/229429#M67936 <P>I managed to answer my own question, which is nice. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>props.conf</P> <PRE><CODE>[psv-iis] SHOULD_LINEMERGE = true NO_BINARY_CHECK = true category = Custom disabled = false REPORT-extractpsv = extractpsv-iis pulldown_type = true </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[extractpsv-iis] DELIMS = "|" FIELDS = Timestamp , Environment , ClientIP , CorrelationId , ApplicationName , ApplicationVersion , ThreadId , Level , Message </CODE></PRE> <P>Regards,<BR /> Luke</P> Thu, 14 Jan 2016 09:15:19 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-structured-field-extraction-PSV-in-this/m-p/229429#M67936 ljolly 2016-01-14T09:15:19Z