Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Break Log file with header and details into events

warrenpage
Explorer
‎04-26-2011 06:11 PM

I have a log file that looks generally like this

Header data  time=xxxxxx  databasename=yyyyyyy  numberortables=xx
Detail tablename=table1  rowsread=1111
Detail tablename=table2  rowsread=2222

I know I could break events on each detail record. However is there a way to configure my props.conf file so it pushes/collect the Data from the header into the detail events somehow?

This is so I could do a search on say databasename=xxx and tablename=yyy?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-26-2011 11:32 PM

Generally speaking there is no way to force that Header into each Detail record such that you have:

Event 1:
Header 1
Detail A

Event 2:
Header 1
Detail B

Depending on the number of "Detail" records you could create a multi-line event. I wouldn't recommend creating events w/ linecount>500. Given that the row count for an event = (# of tables) + 1 (header) you should be under that mark. You would essentially be creating a single event for each database.

Event 1:
Header 1
Detail A
Detail B
Detail C

Event 2:
Header 2
Detail X
Detail Y
Detail Z

View solution in original post

Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-26-2011 11:32 PM

Generally speaking there is no way to force that Header into each Detail record such that you have:

Event 1:
Header 1
Detail A

Event 2:
Header 1
Detail B

Depending on the number of "Detail" records you could create a multi-line event. I wouldn't recommend creating events w/ linecount>500. Given that the row count for an event = (# of tables) + 1 (header) you should be under that mark. You would essentially be creating a single event for each database.

Event 1:
Header 1
Detail A
Detail B
Detail C

Event 2:
Header 2
Detail X
Detail Y
Detail Z
Reply
Solved! Jump to solution

warrenpage
Explorer
‎04-28-2011 06:38 PM

Thanks I suspected as much.

I think I will just need to run the file through awk first to create full detail records like

time=xxxxxx databasename=yyyyyyy tablename=table1 rowsread=1111
time=xxxxxx databasename=yyyyyyy tablename=table2 rowsread=2222

In the meantime just doing without the header fields and marking the details as events separately.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...