Archive
Highlighted

About spliting events

New Member

For example, the following logs are available.

2018-05-17 10:00:00.000

columnA columnB columnC
1111111 2222222 3333333
aaaaaaa bbbbbbb ccccccc

I want to index this log as two events as follows.

_time                    columnA, columnB, columnC
2018-05-17 10:00:00.000, 1111111, 2222222, 3333333
2018-05-17 10:00:00.000, aaaaaaa, bbbbbbb, ccccccc

However, I can not come up with a good idea to realize this.
Is there anyone who has tried similar things?

Tags (1)
0 Karma
Highlighted

Re: About spliting events

try once--

|transpose
Highlighted

Re: About spliting events

SplunkTrust
SplunkTrust

props.conf

[yourSourceType]
SHOULD_LINEMERGE = 0
LINE_BREAKER = ([\n|\r]+)
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD=32
EXTRACT-fields=(?<colA>[\w|\d]+)\s(?<colb>[\w|\d]+)\s(?<colc>[\w|\d]+)

Save the props on the first heavy forwarder, or indexer that will receive the data. Also put the props on your search head. In a stand-alone environment, put the props on the single splunk instance.

Now restart splunk and reload your data.

Finally load the data and try this search

| reverse
| filldown _time
| table _time cola colb colc

Adding | search NOT columna should remove the column names from the results

0 Karma