Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Events Formatting

blbr123
Path Finder
‎11-28-2023 09:31 AM

Hi All,

I have a scripted input which gets Data from a URL and send it to Splunk.

But now I have issue with event Formatting, Actual website data I am ingesting is as shown below:

##### BEGIN STATUS #####

#LAST UPDATE  :  Tue,  28  Nov  2023  11:00:16  +0000

Abcstatus.status=ok

Abcstatus.lastupdate=17xxxxxxxx555

 

 

###  ServiceStatus  ###

xxxxx

xxxxxx

xxxx

###  SystemStatus  ###

XXXX'

XXXX

 

###  xyxStatus  ###

XXX

XXX

XXX

.

.

.

.

So on....

 

But in splunk below lines are coming as a seperate events instead of being part of one complete event:

##### FIRST STATUS #####  - is coming as seperate event

Abcstatus.status=ok  - this is also coming as a separate event

 

Below all events coming as one event which is correct and the above two lines should also be part of this one event:

Abcstatus.lastupdate=17xxxxxxxx555

###  ServiceStatus  ###

xxxxx

xxxxxx

xxxx

###  SystemStatus  ###

.

.

.

So on....

#####   END STATUS  #####

 

Below is my props:

DATETIME_CONFIG = CURRENT

SHOULD_LINEMERGE=TRUE

BREAK_ONLY_AFTER = ^#{5}\s{6}END\sSTATUS\s{6}\#{5}

MUST_NOT_BREAK_AFTER=\#{5}\s{5}BEGIN\sSTATUS\s{5}\#{5}

TIME_PREFIX=^#\w+\s\w+\w+\s:\s

MAX_TIMESTAMP_LOOKAHEAD=200

 

Can you please help me with the issue?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-28-2023 11:45 AM

If DATETIME_CONFIG is set to CURRENT then there is no need for the TIME_PREFIX or MAX_TIMESTAMP_LOOKAHEAD settings.

The regexes do not match the sample data - the regex expects too many spaces.  Also, there is no BREAK_ONLY_AFTER setting.  Perhaps you mean MUST_BREAK_AFTER.  Try these settings.

DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = TRUE
MUST_BREAK_AFTER = [\r\n]+#{5}\s+END\sSTATUS\s+\#{5}

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

blbr123
Path Finder
‎11-29-2023 02:48 AM

I tried the props settings you suggested but still same issue.

 

######   BEGIN STATUS   ##### is coming as a separate event.

#LAST UPDATE : Wed, 29 Nov 2023 10:39:57 +0000 GlobalStatus.status=OK  , this is also coming as a separate event 

Both these events should come under one event.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...