Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Consume Free-Form text

kmattern
Builder
‎11-03-2011 08:22 AM

I have a help desk database in SQL Server that I want to export to log type files and have Splunk consume. I'm not having any trouble getting the data into Splunk but I can't seem to get Splunk to understand where the boundaries for each record/event is. I have defined my output as follows:



TicketNum=000001

CustName=Bob Smith

CallDate=2011-11-01

Status=Closed

CallDesc=Mr. Smith had trouble accessing his hydro accelerator while in mimsy mode.

CallResolution=Told Mr. Smith that he had to be sure his vorbis was in gear

Of course the CallDesc and CallResolution fields can be quite long. They contain copies of emails, comments and more. I have been careful to separate them with only line feeds. The only carriage return/linefeed is at the end of each record/event. There are 14 fields in each record/event.

When I run a search on the raw data many of the records/events run together and they do not necessarily break at the end of a record/event. Yet others do. I have set the DELIMS="\n" in transforms.conf but it doesn't seem to help.

Does anyone know how I can break these records/events out properly?

Thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎11-03-2011 09:51 AM

You will need to instruct Splunk that this is a mulit-line event and also tell it where the line breakers are. Assuming that the TicketNum field is where a new event starts try this in your $SPLUNK_HOME/etc/system/local/props.conf:

[yoursourcetype]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ^TicketNum

View solution in original post

Reply
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎11-03-2011 09:51 AM

You will need to instruct Splunk that this is a mulit-line event and also tell it where the line breakers are. Assuming that the TicketNum field is where a new event starts try this in your $SPLUNK_HOME/etc/system/local/props.conf:

[yoursourcetype]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ^TicketNum
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎11-03-2011 08:36 AM

Try using DELIMS="([\r\n])+" as there may be carriage returns and/or new lines.

Hope this helps

> please upvote and accept answer if you find it useful - thanks!

0 Karma
Reply
Solved! Jump to solution

kmattern
Builder
‎11-03-2011 08:49 AM

That didn't seem to do anything different. Maybe part of the problem is that in the free-form text theare are usually a number of dates. Emails are copied comppletely into these records and that includes the date and time of the email. I moved all of my date fields to the top of the event but that didn't seem to help either.

0 Karma
Reply
Get Updates on the Splunk Community!

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Lantern is a Splunk customer success center that provides practical guidance from Splunk experts on key ...

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...