Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Access logs events showing in single line instead of multiline

priyesh
Explorer
‎08-08-2012 01:53 AM

Hi,

My access logs are showing as single event,it should show as different events.
I need each line as single event.

Example:

8/8/12
8:42:31.000 AM

10.127.77.58 - - [08/Aug/2012:04:42:31 -0400] "GET / HTTP/1.1" 500 538 "-" "OpenNMS HttpMonitor"

10.127.77.58 - - [08/Aug/2012:04:42:31 -0400] "GET / HTTP/1.1" 500 538 "-" "OpenNMS HttpMonitor"

0 Karma
Reply

Jason
Motivator
‎08-08-2012 02:24 AM

If your data source will never have multi-line events, you can set SHOULD_LINEMERGE = false in props.conf under the appropriate sourcetype, source, or host.

For example:

[openNMS]
# Properties for openNMS sourcetype
SHOULD_LINEMERGE = false

If there might be multi-line events in this source of data, you can use a combination of LINE_BREAKER to identify proper line endings or TIME_PREFIX/TIME_FORMAT/MAX_TIMESTAMP_LOOKAHEAD to identify timestamps. Splunk's default behavior is to break before a line containing a timestamp.

These are all in props.conf. http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...