Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Consume Free-Form text

kmattern
Builder
‎11-03-2011 08:22 AM

I have a help desk database in SQL Server that I want to export to log type files and have Splunk consume. I'm not having any trouble getting the data into Splunk but I can't seem to get Splunk to understand where the boundaries for each record/event is. I have defined my output as follows:



TicketNum=000001

CustName=Bob Smith

CallDate=2011-11-01

Status=Closed

CallDesc=Mr. Smith had trouble accessing his hydro accelerator while in mimsy mode.

CallResolution=Told Mr. Smith that he had to be sure his vorbis was in gear

Of course the CallDesc and CallResolution fields can be quite long. They contain copies of emails, comments and more. I have been careful to separate them with only line feeds. The only carriage return/linefeed is at the end of each record/event. There are 14 fields in each record/event.

When I run a search on the raw data many of the records/events run together and they do not necessarily break at the end of a record/event. Yet others do. I have set the DELIMS="\n" in transforms.conf but it doesn't seem to help.

Does anyone know how I can break these records/events out properly?

Thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎11-03-2011 09:51 AM

You will need to instruct Splunk that this is a mulit-line event and also tell it where the line breakers are. Assuming that the TicketNum field is where a new event starts try this in your $SPLUNK_HOME/etc/system/local/props.conf:

[yoursourcetype]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ^TicketNum

View solution in original post

Reply
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎11-03-2011 09:51 AM

You will need to instruct Splunk that this is a mulit-line event and also tell it where the line breakers are. Assuming that the TicketNum field is where a new event starts try this in your $SPLUNK_HOME/etc/system/local/props.conf:

[yoursourcetype]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ^TicketNum
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎11-03-2011 08:36 AM

Try using DELIMS="([\r\n])+" as there may be carriage returns and/or new lines.

Hope this helps

> please upvote and accept answer if you find it useful - thanks!

0 Karma
Reply
Solved! Jump to solution

kmattern
Builder
‎11-03-2011 08:49 AM

That didn't seem to do anything different. Maybe part of the problem is that in the free-form text theare are usually a number of dates. Emails are copied comppletely into these records and that includes the date and time of the email. I moved all of my date fields to the top of the event but that didn't seem to help either.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...