Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Break Large Events into Many Small Events

willial
Communicator
‎05-07-2014 08:33 AM

I've run back and forth through the props.conf documentation and done a few circuits of Answers, but I haven't found anything that actually works yet, so here we are.

I have these large multi-line events coming into splunk with source=tcp-raw. They look kind of like this:

@@@
-> section 1
*bunch of stuff here*
@@@
-> section 2
*bunch of stuff here*
@@@

and so on. The "@@@" is what I want to break the events up on, since it's an obvious delimiter. So I tried adding the following to props.conf

[source::tcp-raw]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current
LINE_BREAKER = @@@

The result was splunk either not indexing the data at all, or throwing it out somehow. Whenever I'd send a new report with that stanza in place, nothing would show up. Removed it, and the data appeared in its normal unbroken form.

What am I doing wrong?

Tags (1)
0 Karma
Reply

willial
Communicator
‎05-07-2014 11:05 AM

I've solved my own problem. The stanza now looks like:

BREAK_ONLY_BEFORE = @@@
SHOULD_LINEMERGE = true

It's now splitting properly.

0 Karma
Reply

willial
Communicator
‎05-07-2014 10:40 AM

Since I'm doing this in a test environment I'm able to throw a new batch of data at it on demand, which should then be indexed under the new rules. I'm following this process: change props.conf in /local, restart splunk server, send new data, check result, repeat.

0 Karma
Reply

linu1988
Champion
‎05-07-2014 10:18 AM

Did you re-index all the data or are you looking at the same data? It needs to be re-indexed.

0 Karma
Reply

willial
Communicator
‎05-07-2014 09:21 AM

OK, that fixed the problem of splunk throwing out the incoming data, but it's still not breaking up the events.

0 Karma
Reply

somesoni2
Revered Legend
‎05-07-2014 08:46 AM

Try "BREAK_ONLY_BEFORE = @@@" instead of "LINE_BREAKER = @@@"

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...