How can I break up one long line into multiple eve...

snorri · ‎10-10-2017

I have a file that contains one really long line, see below

Example:
["2017-10-09 13:05",976.0,"OK"],["2017-10-09 13:06",908.0,"OK"],["2017-10-09 13:07",1001.0,"OK"] ...... And so on..

How can I break up each ["2017-10-09 13:05",976.0,"OK"] into events?

I first tried to accomplish this in props.conf with no luck.
So now Im adding the file using "upload file" just to see if I can breake the line, still with no luck..

Any pointers would be much appriciated

cmerriman · ‎10-10-2017

in props.conf you should be able to configure line breaking. a regex of something like LINE_BREAKER=\]([,])might do the trick.

you can also do this via the UI. Just go to Add Data>Monitor/Upload/Forward. Eventually, you'll get to the Set Sourcetype stage and you can configure the event breaks there. you can see where/how the events are going to break and adjust accordingly.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Modifyeventprocessing

skalliger · ‎10-10-2017

Hi,

what did you try to do in your props.conf?
What you are looking for is the BREAK_ONLY_BEFORE (or MUST_BREAK_AFTER) setting.
I would go with somethign like this:

[your_sourcetype (defined in inputs.conf)]
MUST_BREAK_AFTER = (\"\]\,)

So, your event gets broken after the comma.

Skalli

How can I break up one long line into multiple events?

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...