How can I break up one long line into multiple eve...

snorri · ‎10-10-2017

I have a file that contains one really long line, see below

Example:
["2017-10-09 13:05",976.0,"OK"],["2017-10-09 13:06",908.0,"OK"],["2017-10-09 13:07",1001.0,"OK"] ...... And so on..

How can I break up each ["2017-10-09 13:05",976.0,"OK"] into events?

I first tried to accomplish this in props.conf with no luck.
So now Im adding the file using "upload file" just to see if I can breake the line, still with no luck..

Any pointers would be much appriciated

cmerriman · ‎10-10-2017

in props.conf you should be able to configure line breaking. a regex of something like LINE_BREAKER=\]([,])might do the trick.

you can also do this via the UI. Just go to Add Data>Monitor/Upload/Forward. Eventually, you'll get to the Set Sourcetype stage and you can configure the event breaks there. you can see where/how the events are going to break and adjust accordingly.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Modifyeventprocessing

skalliger · ‎10-10-2017

Hi,

what did you try to do in your props.conf?
What you are looking for is the BREAK_ONLY_BEFORE (or MUST_BREAK_AFTER) setting.
I would go with somethign like this:

[your_sourcetype (defined in inputs.conf)]
MUST_BREAK_AFTER = (\"\]\,)

So, your event gets broken after the comma.

Skalli

How can I break up one long line into multiple events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation