For example, the following logs are available.
2018-05-17 10:00:00.000
columnA columnB columnC
1111111 2222222 3333333
aaaaaaa bbbbbbb ccccccc
I want to index this log as two events as follows.
_time columnA, columnB, columnC
2018-05-17 10:00:00.000, 1111111, 2222222, 3333333
2018-05-17 10:00:00.000, aaaaaaa, bbbbbbb, ccccccc
However, I can not come up with a good idea to realize this.
Is there anyone who has tried similar things?
props.conf
[yourSourceType]
SHOULD_LINEMERGE = 0
LINE_BREAKER = ([\n|\r]+)
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD=32
EXTRACT-fields=(?<colA>[\w|\d]+)\s(?<colb>[\w|\d]+)\s(?<colc>[\w|\d]+)
Save the props on the first heavy forwarder, or indexer that will receive the data. Also put the props on your search head. In a stand-alone environment, put the props on the single splunk instance.
Now restart splunk and reload your data.
Finally load the data and try this search
| reverse
| filldown _time
| table _time cola colb colc
Adding | search NOT columna should remove the column names from the results
try once--
|transpose