Solved: DBConnect - Problem with multiline cells

bizza · ‎05-28-2014

Hi,
I configured dbconnect as tail-input on a Oracle database.
My problem is when I found a record with a multiline cell, usually when a SQL query is stored inside the cell.
Splunk split that record: there is a way to avoid it?

For example:

field1 | field2 | field3
ID | TIMESTAMP | SELECT * FROM TABLE;

works fine.

field1 | field2 | field3
ID | TIMESTAMP | SELECT * FROM TABLE
WHERE someoption blablabla;

Got me 2 events, and the second one is "WHERE someoption blablabla;" , without any interesting fields, so it cannot be correlated correctly to any other fields.

Any hints?

Regards

abonuccelli_spl · ‎05-29-2014

what does your db-tail input look like?

I can get multiline events broken down ok without actually touching props.conf...

Do you have multiline key-value output.format set?

output.format = mkv

View solution in original post

abonuccelli_spl · ‎05-29-2014

what does your db-tail input look like?

I can get multiline events broken down ok without actually touching props.conf...

Do you have multiline key-value output.format set?

output.format = mkv

bizza · ‎06-05-2014

mkv solved my issue.
Now I'll works on new props/transforms regex, but now splunk splits records correctly.

ciao

abonuccelli_spl · ‎05-28-2014

have you tried configuring props.conf with linemerging?

bizza · ‎05-28-2014

Yes, True first and then False.
I tried a non-matching truncate regexp too.

DBConnect - Problem with multiline cells

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation