Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help for line breaking

RobertRi
Communicator
‎11-19-2013 10:54 PM

Hi

I have a problem with an logifle wich has over 95% single line events and a few multiline events.

These multiline events have this format

START*A .....
   ....
   ....
   ....
END

How can I configure I splunk to keep this lines together as a one multiline event?

Thanks for your help
Rob

Tags (2)
0 Karma
Reply

RobertRi
Communicator
‎11-19-2013 11:25 PM

Yes, the inner multiline lines are indented with tabs

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-19-2013 11:24 PM

Then:

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?:XSET|XGET|START|\?|XKS|XDEL)

may do it. Or,

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?!(?:END|\t))
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-19-2013 11:39 PM

for best performance, you want to set SHOULD_LINEMERGE = false, which disables all rules other than LINE_BREAKER. but generally indexing performance is not a problem and so a clearer rule may be better.

0 Karma
Reply

RobertRi
Communicator
‎11-19-2013 11:30 PM

I have played around with the data preview in the UI (really cool thing!) and found that this works too.

MUST_NOT_BREAK_AFTER=^START\*\w+\s
MUST_BREAK_AFTER=^END
SHOULD_LINEMERGE= true

In case of performance, did you recommend your solution with the LINE_BREAKER or my way?

Thank you very much for your help!
Rob

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-19-2013 11:23 PM

So, with the multi-line events, are the inner lines actually indented with spaces or tabs? Or is that just how you formatted it?

0 Karma
Reply

RobertRi
Communicator
‎11-19-2013 11:12 PM

The single lines are really different
They begin with ..

XSET
XGET
START ......... END
?
XKS
XDEL

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-19-2013 11:08 PM

what do the single line events look like?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...