Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Break Log file with header and details into events

warrenpage
Explorer
‎04-26-2011 06:11 PM

I have a log file that looks generally like this

Header data  time=xxxxxx  databasename=yyyyyyy  numberortables=xx
Detail tablename=table1  rowsread=1111
Detail tablename=table2  rowsread=2222

I know I could break events on each detail record. However is there a way to configure my props.conf file so it pushes/collect the Data from the header into the detail events somehow?

This is so I could do a search on say databasename=xxx and tablename=yyy?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-26-2011 11:32 PM

Generally speaking there is no way to force that Header into each Detail record such that you have:

Event 1:
Header 1
Detail A

Event 2:
Header 1
Detail B

Depending on the number of "Detail" records you could create a multi-line event. I wouldn't recommend creating events w/ linecount>500. Given that the row count for an event = (# of tables) + 1 (header) you should be under that mark. You would essentially be creating a single event for each database.

Event 1:
Header 1
Detail A
Detail B
Detail C

Event 2:
Header 2
Detail X
Detail Y
Detail Z

View solution in original post

Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-26-2011 11:32 PM

Generally speaking there is no way to force that Header into each Detail record such that you have:

Event 1:
Header 1
Detail A

Event 2:
Header 1
Detail B

Depending on the number of "Detail" records you could create a multi-line event. I wouldn't recommend creating events w/ linecount>500. Given that the row count for an event = (# of tables) + 1 (header) you should be under that mark. You would essentially be creating a single event for each database.

Event 1:
Header 1
Detail A
Detail B
Detail C

Event 2:
Header 2
Detail X
Detail Y
Detail Z
Reply
Solved! Jump to solution

warrenpage
Explorer
‎04-28-2011 06:38 PM

Thanks I suspected as much.

I think I will just need to run the file through awk first to create full detail records like

time=xxxxxx databasename=yyyyyyy tablename=table1 rowsread=1111
time=xxxxxx databasename=yyyyyyy tablename=table2 rowsread=2222

In the meantime just doing without the header fields and marking the details as events separately.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...