All Apps and Add-ons

How to add event breaks after indexing a file in splunk

Explorer

I have a folder, which contains multiple files. I have indexed the folder as continuous monitoring. I have used rex in my query to extract the fields. The rex would work only if i change event breaks to every line. But, the problem is when I index a folder as continuous monitoring the step where would I select event breaks to every line is automatically skipped. Is there any way to solve this issue? Can I add event breaks after indexing a file?

0 Karma

Champion

hi @harinivgr
try this

 | rex max_match=0 "^(?<lines>.+)\n+"
| table lines
| mvexpand lines
0 Karma

Champion

hi @harinivgr
Please accept the answer if it significantly helped resolve your issue or let us know if there are any more issues

0 Karma

Champion

you can add event breaks and make your _raw look like separate events, can you please give a sample of your event and where you want to break those events?

0 Karma

Champion

could you add a sample of your events? This is possible both before and after indexing but we need to see your event sample

0 Karma

Explorer

-- Printed: 19/08/14 At: 02:19 Hrs. --
-- By: IBMUSER Page No.: 1 --



VOLUME FREE % ALLOC FRAG LARGEST FREE INDEX FREE FREE DEVICE DEV SHR USE RD CACHE DASD FW CACHE FW D
SERIAL SPACE FREE SPACE INDEX EXTENT EXTENTS STATUS DSCBS VIRS TYPE NUM DASD ATTR STATUS STATUS STATUS S
-(2)-- ---(3)--- (4)- ---(5)--- -(6)- ---(7)--- --(8)-- --(9)--- -(10)-- -(11)-- -(12)-- (13) (14) (15) --(16)-- --(17)-- --(18)-- -
TMPWKA 8404976K 84 1555493K 0 8404976K 1 ENABLED 7489 1223 3390-9 0B0A NO PRIV ACTIVE ACTIVE ACTIVE S
TMPWKB 9870825K 99 89644K 0 9870825K 1 ENABLED 7494 1223 3390-9 0B0B NO PRIV ACTIVE ACTIVE ACTIVE S
TMPWKC 9808572K 98 151897K 0 9808572K 1 ENABLED 7495 1223 3390-9 0B0C NO PRIV ACTIVE ACTIVE ACTIVE S
VDANBA 722964K 17 3427231K 109 422435K 7 ENABLED 701 285 3390-9 1A1F NO PRIV ACTIVE ACTIVE ACTIVE S
VDAUTJ 270648K 27 725399K 18 263122K 4 ENABLED 697 289 3390-9 19DE NO PRIV ACTIVE ACTIVE ACTIVE S
VDBAQB 321336K 32 674711K 73 245692K 4 ENABLED 719 289 3390-9 1A15 NO PRIV ACTIVE ACTIVE ACTIVE S
VDCAVA 95454K 66 49803K 0 95454K 1 ENABLED 722 290 3390-9 0B57 NO PRIV ACTIVE ACTIVE ACTIVE S
VDCDPA 729770K 73 266277K 0 729604K 3 ENABLED 708 289 3390-9 1A18 NO PRIV ACTIVE ACTIVE ACTIVE S
VDCHCA 1590632K 87 235454K 0 1590632K 1 ENABLED 715 288 3390-9 18DE NO PRIV ACTIVE ACTIVE ACTIVE S
VDDB1A 575438K 43 752625K 0 575217K 2 ENABLED 7481 2515 3390-9 1990 NO PRIV ACTIVE ACTIVE ACTIVE S
VDDB1B 301747K 23 1026316K 205 151067K 14 ENABLED 7457 2515 3390-9 1991 NO PRIV ACTIVE ACTIVE ACTIVE S
VDDCFA 11953K 6 178956K 37 11621K 4 ENABLED 707 311 3390-9 0CD7 NO PRIV ACTIVE ACTIVE ACTIVE S

The above is sample data. I have 3 files inside a single folder. While adding this folder as continuous monitoring, splunk skipped setting event break step. But while adding as a single file, we can break the event as single line. So, we need to set event break to every line after adding folder.

0 Karma