Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I break up one long line into multiple events?

snorri
Path Finder
‎10-10-2017 02:13 AM

I have a file that contains one really long line, see below

Example:
["2017-10-09 13:05",976.0,"OK"],["2017-10-09 13:06",908.0,"OK"],["2017-10-09 13:07",1001.0,"OK"] ...... And so on..

How can I break up each ["2017-10-09 13:05",976.0,"OK"] into events?

I first tried to accomplish this in props.conf with no luck.
So now Im adding the file using "upload file" just to see if I can breake the line, still with no luck..

Any pointers would be much appriciated

0 Karma
Reply

cmerriman
Super Champion
‎10-10-2017 05:17 AM

in props.conf you should be able to configure line breaking. a regex of something like LINE_BREAKER=\]([,])might do the trick.

you can also do this via the UI. Just go to Add Data>Monitor/Upload/Forward. Eventually, you'll get to the Set Sourcetype stage and you can configure the event breaks there. you can see where/how the events are going to break and adjust accordingly.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Modifyeventprocessing

Reply

skalliger
Motivator
‎10-10-2017 05:09 AM

Hi,

what did you try to do in your props.conf?
What you are looking for is the BREAK_ONLY_BEFORE (or MUST_BREAK_AFTER) setting.
I would go with somethign like this:

[your_sourcetype (defined in inputs.conf)]
MUST_BREAK_AFTER = (\"\]\,)

So, your event gets broken after the comma.

Skalli

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...