Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Break Log file with header and details into events

warrenpage
Explorer
‎04-26-2011 06:11 PM

I have a log file that looks generally like this

Header data  time=xxxxxx  databasename=yyyyyyy  numberortables=xx
Detail tablename=table1  rowsread=1111
Detail tablename=table2  rowsread=2222

I know I could break events on each detail record. However is there a way to configure my props.conf file so it pushes/collect the Data from the header into the detail events somehow?

This is so I could do a search on say databasename=xxx and tablename=yyy?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-26-2011 11:32 PM

Generally speaking there is no way to force that Header into each Detail record such that you have:

Event 1:
Header 1
Detail A

Event 2:
Header 1
Detail B

Depending on the number of "Detail" records you could create a multi-line event. I wouldn't recommend creating events w/ linecount>500. Given that the row count for an event = (# of tables) + 1 (header) you should be under that mark. You would essentially be creating a single event for each database.

Event 1:
Header 1
Detail A
Detail B
Detail C

Event 2:
Header 2
Detail X
Detail Y
Detail Z

View solution in original post

Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-26-2011 11:32 PM

Generally speaking there is no way to force that Header into each Detail record such that you have:

Event 1:
Header 1
Detail A

Event 2:
Header 1
Detail B

Depending on the number of "Detail" records you could create a multi-line event. I wouldn't recommend creating events w/ linecount>500. Given that the row count for an event = (# of tables) + 1 (header) you should be under that mark. You would essentially be creating a single event for each database.

Event 1:
Header 1
Detail A
Detail B
Detail C

Event 2:
Header 2
Detail X
Detail Y
Detail Z
Reply
Solved! Jump to solution

warrenpage
Explorer
‎04-28-2011 06:38 PM

Thanks I suspected as much.

I think I will just need to run the file through awk first to create full detail records like

time=xxxxxx databasename=yyyyyyy tablename=table1 rowsread=1111
time=xxxxxx databasename=yyyyyyy tablename=table2 rowsread=2222

In the meantime just doing without the header fields and marking the details as events separately.

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...