topic How to break events on Particular field using Regex or any other process? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-break-events-on-Particular-field-using-Regex-or-any-other/m-p/272134#M81880 <P>Hi All,</P> <P>Below is my event data:</P> <P>Issue 1:</P> <PRE><CODE>11/11/15 1:26:01.000 PM Job Id, Class Id,"Id","Success","Created","Error","Id","Service_Team_Members_Initials__c" 950210000002JwhAAE,651270000007OwIAAU,"","false","false","FIELD_CUSTOM_VALIDATION_EXCEPTION:01: The selected Contact Role is not valid for this type of Office. Valid option is RIA:Contact_Role_and_Registration__c --","006C000001NM6TpIAL","ABCD, JERW, XCVB, CGLC, JSWB, BCH, LAAM, TCWJ, DAFC, KJJH, SCAH, BIMR" 650240000003JwhAAE,451270000007OwIAAU,"","false","false","FIELD_CUSTOM_VALIDATION_EXCEPTION:01: The selected Contact Role is not valid for this type of Office. Valid option is RIA:Contact_Role_and_Registration__c --","005C000001Se9x2IAB","EFGH, TWEW, SDFR, MCQ, JOLP, MPK, SCRC, LAAM, LAAM, JNAC, SCAH, JSDF, CDER, DAFC, KJJH, BCH" </CODE></PRE> <P>1) I want to skip headers <CODE>jobid,classid,"ID","Success","Error","Id","Service_Team_Members_Initials__c"</CODE> in the events.<BR /> 2) I need to know how to break the events on <CODE>Job Id</CODE>, and after breaking all events, should have the same date and time by using regex or any other method to solve this.</P> <P>Issue 2:</P> <PRE><CODE>11/10/15 5:48:13.000 AM 1-0000642980,,,,,290641,Sent WMS,,Proposal Order,Error received from salesesssd.com. Fields [Requested_Delivery_Date__c]. Status code [FIELD_CUSTOM_VALIDATION_EXCEPTION]. Message [Please select Requested Delivery Date]. 1-0000642131,,,,,290480,Sent WMS,,Proposal Order,Error received from salesesssd.com. Fields [Requested_Delivery_Date__c]. Status code [FIELD_CUSTOM_VALIDATION_EXCEPTION]. Message [Please select Requested Delivery Date]. 1-0000642138,,,,,290485,Sent WMS,,Proposal Order,Error received from salesesssd.com. Fields [Requested_Delivery_Date__c]. Status code [FIELD_CUSTOM_VALIDATION_EXCEPTION]. Message [Please select Requested Delivery Date]. </CODE></PRE> <P>1) I want to break these events on the newline character.</P> <P>Thanks in advance, and any method to make this work is fine.<BR /> I used this for issue2: <CODE>LINE_BREAKER = ([\r\n]+)</CODE> in props.conf</P> <P>Thanks in advance.</P> Tue, 15 Dec 2015 01:33:01 GMT mprreddy51 2015-12-15T01:33:01Z How to break events on Particular field using Regex or any other process? https://community.splunk.com/t5/Splunk-Search/How-to-break-events-on-Particular-field-using-Regex-or-any-other/m-p/272134#M81880 <P>Hi All,</P> <P>Below is my event data:</P> <P>Issue 1:</P> <PRE><CODE>11/11/15 1:26:01.000 PM Job Id, Class Id,"Id","Success","Created","Error","Id","Service_Team_Members_Initials__c" 950210000002JwhAAE,651270000007OwIAAU,"","false","false","FIELD_CUSTOM_VALIDATION_EXCEPTION:01: The selected Contact Role is not valid for this type of Office. Valid option is RIA:Contact_Role_and_Registration__c --","006C000001NM6TpIAL","ABCD, JERW, XCVB, CGLC, JSWB, BCH, LAAM, TCWJ, DAFC, KJJH, SCAH, BIMR" 650240000003JwhAAE,451270000007OwIAAU,"","false","false","FIELD_CUSTOM_VALIDATION_EXCEPTION:01: The selected Contact Role is not valid for this type of Office. Valid option is RIA:Contact_Role_and_Registration__c --","005C000001Se9x2IAB","EFGH, TWEW, SDFR, MCQ, JOLP, MPK, SCRC, LAAM, LAAM, JNAC, SCAH, JSDF, CDER, DAFC, KJJH, BCH" </CODE></PRE> <P>1) I want to skip headers <CODE>jobid,classid,"ID","Success","Error","Id","Service_Team_Members_Initials__c"</CODE> in the events.<BR /> 2) I need to know how to break the events on <CODE>Job Id</CODE>, and after breaking all events, should have the same date and time by using regex or any other method to solve this.</P> <P>Issue 2:</P> <PRE><CODE>11/10/15 5:48:13.000 AM 1-0000642980,,,,,290641,Sent WMS,,Proposal Order,Error received from salesesssd.com. Fields [Requested_Delivery_Date__c]. Status code [FIELD_CUSTOM_VALIDATION_EXCEPTION]. Message [Please select Requested Delivery Date]. 1-0000642131,,,,,290480,Sent WMS,,Proposal Order,Error received from salesesssd.com. Fields [Requested_Delivery_Date__c]. Status code [FIELD_CUSTOM_VALIDATION_EXCEPTION]. Message [Please select Requested Delivery Date]. 1-0000642138,,,,,290485,Sent WMS,,Proposal Order,Error received from salesesssd.com. Fields [Requested_Delivery_Date__c]. Status code [FIELD_CUSTOM_VALIDATION_EXCEPTION]. Message [Please select Requested Delivery Date]. </CODE></PRE> <P>1) I want to break these events on the newline character.</P> <P>Thanks in advance, and any method to make this work is fine.<BR /> I used this for issue2: <CODE>LINE_BREAKER = ([\r\n]+)</CODE> in props.conf</P> <P>Thanks in advance.</P> Tue, 15 Dec 2015 01:33:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-break-events-on-Particular-field-using-Regex-or-any-other/m-p/272134#M81880 mprreddy51 2015-12-15T01:33:01Z Re: How to break events on Particular field using Regex or any other process? https://community.splunk.com/t5/Splunk-Search/How-to-break-events-on-Particular-field-using-Regex-or-any-other/m-p/272135#M81881 <P>Hi,</P> <P>For issue 1 to erase the header<BR /> in props.conf <BR /> [YOURSOURCETYPE]<BR /> TRANSFORMS-delete-header = eliminate-header</P> <P>in transforms.conf<BR /> [eliminate-header]</P> <PRE><CODE>REGEX=^Job\s+Id </CODE></PRE> <P>DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>For issue 2</P> <P><CODE>LINE_BREAKER = ([\r\n]+)\d\-\d+\,)</CODE></P> <P>Hope help you</P> Tue, 15 Dec 2015 12:17:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-break-events-on-Particular-field-using-Regex-or-any-other/m-p/272135#M81881 jmallorquin 2015-12-15T12:17:33Z