All Apps and Add-ons

How to add event breaks after indexing a file in splunk

harinivgr
Explorer

I have a folder, which contains multiple files. I have indexed the folder as continuous monitoring. I have used rex in my query to extract the fields. The rex would work only if i change event breaks to every line. But, the problem is when I index a folder as continuous monitoring the step where would I select event breaks to every line is automatically skipped. Is there any way to solve this issue? Can I add event breaks after indexing a file?

0 Karma

Sukisen1981
Champion

hi @harinivgr
try this

 | rex max_match=0 "^(?<lines>.+)\n+"
| table lines
| mvexpand lines
0 Karma

Sukisen1981
Champion

hi @harinivgr
Please accept the answer if it significantly helped resolve your issue or let us know if there are any more issues

0 Karma

Sukisen1981
Champion

you can add event breaks and make your _raw look like separate events, can you please give a sample of your event and where you want to break those events?

0 Karma

Sukisen1981
Champion

could you add a sample of your events? This is possible both before and after indexing but we need to see your event sample

0 Karma

harinivgr
Explorer

-- Printed: 19/08/14 At: 02:19 Hrs. --
-- By: IBMUSER Page No.: 1 --



VOLUME FREE % ALLOC FRAG LARGEST FREE INDEX FREE FREE DEVICE DEV SHR USE RD CACHE DASD FW CACHE FW D
SERIAL SPACE FREE SPACE INDEX EXTENT EXTENTS STATUS DSCBS VIRS TYPE NUM DASD ATTR STATUS STATUS STATUS S
-(2)-- ---(3)--- (4)- ---(5)--- -(6)- ---(7)--- --(8)-- --(9)--- -(10)-- -(11)-- -(12)-- (13) (14) (15) --(16)-- --(17)-- --(18)-- -
TMPWKA 8404976K 84 1555493K 0 8404976K 1 ENABLED 7489 1223 3390-9 0B0A NO PRIV ACTIVE ACTIVE ACTIVE S
TMPWKB 9870825K 99 89644K 0 9870825K 1 ENABLED 7494 1223 3390-9 0B0B NO PRIV ACTIVE ACTIVE ACTIVE S
TMPWKC 9808572K 98 151897K 0 9808572K 1 ENABLED 7495 1223 3390-9 0B0C NO PRIV ACTIVE ACTIVE ACTIVE S
VDANBA 722964K 17 3427231K 109 422435K 7 ENABLED 701 285 3390-9 1A1F NO PRIV ACTIVE ACTIVE ACTIVE S
VDAUTJ 270648K 27 725399K 18 263122K 4 ENABLED 697 289 3390-9 19DE NO PRIV ACTIVE ACTIVE ACTIVE S
VDBAQB 321336K 32 674711K 73 245692K 4 ENABLED 719 289 3390-9 1A15 NO PRIV ACTIVE ACTIVE ACTIVE S
VDCAVA 95454K 66 49803K 0 95454K 1 ENABLED 722 290 3390-9 0B57 NO PRIV ACTIVE ACTIVE ACTIVE S
VDCDPA 729770K 73 266277K 0 729604K 3 ENABLED 708 289 3390-9 1A18 NO PRIV ACTIVE ACTIVE ACTIVE S
VDCHCA 1590632K 87 235454K 0 1590632K 1 ENABLED 715 288 3390-9 18DE NO PRIV ACTIVE ACTIVE ACTIVE S
VDDB1A 575438K 43 752625K 0 575217K 2 ENABLED 7481 2515 3390-9 1990 NO PRIV ACTIVE ACTIVE ACTIVE S
VDDB1B 301747K 23 1026316K 205 151067K 14 ENABLED 7457 2515 3390-9 1991 NO PRIV ACTIVE ACTIVE ACTIVE S
VDDCFA 11953K 6 178956K 37 11621K 4 ENABLED 707 311 3390-9 0CD7 NO PRIV ACTIVE ACTIVE ACTIVE S

The above is sample data. I have 3 files inside a single folder. While adding this folder as continuous monitoring, splunk skipped setting event break step. But while adding as a single file, we can break the event as single line. So, we need to set event break to every line after adding folder.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...