topic Re: How to event break using Regex. Not working. in Splunk Search

How to event break using Regex. Not working.

hhGA — Tue, 29 Sep 2020 07:38:40 GMT

Hi,

I'm trying to import some CSV data into Splunk which is all on one line. The events are separated by a space and I am trying to use Regex to separate them, but to no avail. I have tried to do this on Splunk Cloud 6.3, Splunk Enterprise 6.3 and 6.2.5.

This is an example of the data I am trying to import:

1445429543,266.600000000000,4.228747140000 1445429534,266.600000000000,0.070900000000 1445429496,266.360000000000,0.120000000000 1445429479,266.350000000000,0.068756580000 1445429478,266.360000000000,0.051243420000 1445429458,266.360000000000,0.070000000000
1445429452,266.640000000000,0.279821050000

There are 3 comma separated fields per event.

I have used the Regex \s which does not work as well as things such as \d just to see if it is working. Nothing ever gets applied to my data though.

I have tried using the settings BREAK_ONLY_BEFORE, MUST_BREAK_AFTER and LINE_BREAKER.

Would anyone please be able to help?

Thanks.

Re: How to event break using Regex. Not working.

richgalloway — Wed, 21 Oct 2015 14:23:15 GMT

Assuming the first number in each triplet is a Unix-epoch timestamp, have you tried this?

BREAK_ONLY_BEFORE_DATE = true
TIME_FORMAT = %s
INDEXED_EXTRACTIONS = CSV

Re: How to event break using Regex. Not working.

hhGA — Wed, 21 Oct 2015 14:38:10 GMT

Hi,

Thanks for your answer. I have tried using these values but it makes no changes at all to my data structure. It's almost as if Splunk is ignoring them altogether.

Re: How to event break using Regex. Not working.

richgalloway — Wed, 21 Oct 2015 14:46:06 GMT

Are you restarting Splunk after each change to the props.conf file?

Re: How to event break using Regex. Not working.

hhGA — Wed, 21 Oct 2015 14:56:11 GMT

I'm not using the props.conf file as I do not have access to it. I am using the Add Data 'wizard' in the web interface.

Re: How to event break using Regex. Not working.

richgalloway — Wed, 21 Oct 2015 15:33:40 GMT

Do you have any control over the format of the data? If so, it would have if you added a header line and put one event (3 fields) per line.
If you can't change how the data is generated, we'll have to consider using transforms, but that can't be done via the GUI.

Re: How to event break using Regex. Not working.

somesoni2 — Wed, 21 Oct 2015 21:10:03 GMT

Give this a try (in the Web UI, add this in the Advanced tab)

NO_BINARY_CHECK=true
TIME_PREFIX=^
TIME_FORMAT=%s
MAX_TIMESTAMP_LOOKAHEAD=10

Re: How to event break using Regex. Not working.

hhGA — Fri, 23 Oct 2015 10:53:21 GMT

Hi somesoni2,
Thanks for giving it a go but this is not working either. It's not making any changes at all to the data. Am starting to think that my Splunk instance is not even attempting to apply the settings.

Re: How to event break using Regex. Not working.

hhGA — Fri, 23 Oct 2015 10:55:19 GMT

No, I don't have any control over the data and as I don't have access to trans.conf I can't play about with transforms. Is there any reason why my original method is not working?

Re: How to event break using Regex. Not working.

richgalloway — Fri, 23 Oct 2015 12:09:48 GMT

What version of Splunk are you using? I've replicated your lack of results using 6.3 and suspect there may be a bug in that version. If you're using a different version then the problem must lie elsewhere.

Re: How to event break using Regex. Not working.

hhGA — Fri, 23 Oct 2015 12:26:24 GMT

I have tried using 6.3 and 6.2.5. I also suspect there must be a bug from the complete lack of change in the data.