How can I break up one long line into multiple eve...

snorri · ‎10-10-2017

I have a file that contains one really long line, see below

Example:
["2017-10-09 13:05",976.0,"OK"],["2017-10-09 13:06",908.0,"OK"],["2017-10-09 13:07",1001.0,"OK"] ...... And so on..

How can I break up each ["2017-10-09 13:05",976.0,"OK"] into events?

I first tried to accomplish this in props.conf with no luck.
So now Im adding the file using "upload file" just to see if I can breake the line, still with no luck..

Any pointers would be much appriciated

cmerriman · ‎10-10-2017

in props.conf you should be able to configure line breaking. a regex of something like LINE_BREAKER=\]([,])might do the trick.

you can also do this via the UI. Just go to Add Data>Monitor/Upload/Forward. Eventually, you'll get to the Set Sourcetype stage and you can configure the event breaks there. you can see where/how the events are going to break and adjust accordingly.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Modifyeventprocessing

skalliger · ‎10-10-2017

Hi,

what did you try to do in your props.conf?
What you are looking for is the BREAK_ONLY_BEFORE (or MUST_BREAK_AFTER) setting.
I would go with somethign like this:

[your_sourcetype (defined in inputs.conf)]
MUST_BREAK_AFTER = (\"\]\,)

So, your event gets broken after the comma.

Skalli

How can I break up one long line into multiple events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation