I'm using Splunk DB Connect to monitor a mysql view. The query outputs the data like so:
mid=0001
ext_src=My Source
type = mytype
rating=2
tnum=blue sky
The problem that Splunk only indexes partial values when the value contains a space. For example, the above event would be broken into files by Splunk as follows:
_raw = mid=0001
ext_src=My Source
type = mytype
rating=2
tnum=blue sky
mid=0001
sec=
ext_src=My
type=mytype
rating=2
tnum=blue
desc=
usr=
Notice that the RAW field prints the entire value of 'blue sky' but the indexed value for that field is cut-off after the first space in the value.
My hunch is that I need to modify the "OUTPUT" setting for the input. The options available are:
key-value format
multi-line key-value format (I use this format here)
Template
CSV
CSV with headers
I'm wondering if anyone has expeienced the same issue or maybe I don't understand the output format. Can someone explain how to use the Template option?
Thanks
The problem is that the extraction of the multiline key-value relys on the sourcetype "dbmon:mkv". If you specified a custom one, you have to adjust the extraction settings for your sourcetype. In props.conf:
[mysourcetype]
KV_MODE = none
REPORT-mkv = dbx-mkv
The template output format allows you to specify an arbitrary text format (ie. in the template text box), in which you can place replacement-tokens in the form of $column$
. For example:
$timestamp$ this is my event from $city$, $country$
This will generate events like:
2012-12-19T22:57:16.123 this is my event from Vienna, Austria
You have to create field extractions for this kind of output yourself.
The problem is that the extraction of the multiline key-value relys on the sourcetype "dbmon:mkv". If you specified a custom one, you have to adjust the extraction settings for your sourcetype. In props.conf:
[mysourcetype]
KV_MODE = none
REPORT-mkv = dbx-mkv
The template output format allows you to specify an arbitrary text format (ie. in the template text box), in which you can place replacement-tokens in the form of $column$
. For example:
$timestamp$ this is my event from $city$, $country$
This will generate events like:
2012-12-19T22:57:16.123 this is my event from Vienna, Austria
You have to create field extractions for this kind of output yourself.
I have run into a problem with the REPORT-mkv = dbx-mkv solution: if a user does not have dbx_user role, then they can't get to the dbx-mkv transform, and field extraction does not work.
Our solution was to copy the dbx-mkv transform into etc/system/local/transforms under a different name, and then use that name in the REPORT-mkv stanza. No dbx_user role necessary.