Hi Team,
Below is the single event for my search query:
SAS NodeAgent APPSERVER Service is Running
SAS JVM1 SASQC1AUQ4066LS03 Service is Running
SAS JVM2 SASQC1AUQ4066LS02 Service is Running
SAS JVM3 SASQC1AUQ4066LS01 Service is Running
I want each line to be a single event.
Event1 - SAS NodeAgent APPSERVER Service is Running
Event2- SAS JVM1 SASQC1AUQ4066LS03 Service is Running
How can i achieve this. Please assist.
This example is at search time.
This makes your test data...
| makeresults
| eval _raw=" SAS NodeAgent APPSERVER Service is Running
SAS JVM1 SASQC1AUQ4066LS03 Service is Running
SAS JVM2 SASQC1AUQ4066LS02 Service is Running
SAS JVM3 SASQC1AUQ4066LS01 Service is Running"
This puts flags into it before each " SAS " line, converts it into a multivalue field, and then breaks it into multiple events
| rename _raw as raw
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g"
| rex field=raw mode=sed "s/^!!!! SAS / SAS /"
| makemv delim="!!!!" raw
| mvexpand raw
| rename raw as _raw
The renaming is because the internal field _raw has some special properties that we do not want to engage with.
This version assumes that there is other data before the first SAS line that needs to be copied onto each of the breakout records.
| makeresults
| eval _raw="junk stuff that we don't care about but which needs to be on every line
SAS NodeAgent APPSERVER Service is Running
SAS JVM1 SASQC1AUQ4066LS03 Service is Running
SAS JVM2 SASQC1AUQ4066LS02 Service is Running
SAS JVM3 SASQC1AUQ4066LS01 Service is Running"
| rename _raw as raw
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g"
| makemv delim="!!!!" raw
| eval _raw = mvindex(raw,0)
| eval raw = mvindex(raw,1,mvcount(raw))
| mvexpand raw
| eval _raw = _raw.raw
This example is at search time.
This makes your test data...
| makeresults
| eval _raw=" SAS NodeAgent APPSERVER Service is Running
SAS JVM1 SASQC1AUQ4066LS03 Service is Running
SAS JVM2 SASQC1AUQ4066LS02 Service is Running
SAS JVM3 SASQC1AUQ4066LS01 Service is Running"
This puts flags into it before each " SAS " line, converts it into a multivalue field, and then breaks it into multiple events
| rename _raw as raw
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g"
| rex field=raw mode=sed "s/^!!!! SAS / SAS /"
| makemv delim="!!!!" raw
| mvexpand raw
| rename raw as _raw
The renaming is because the internal field _raw has some special properties that we do not want to engage with.
This version assumes that there is other data before the first SAS line that needs to be copied onto each of the breakout records.
| makeresults
| eval _raw="junk stuff that we don't care about but which needs to be on every line
SAS NodeAgent APPSERVER Service is Running
SAS JVM1 SASQC1AUQ4066LS03 Service is Running
SAS JVM2 SASQC1AUQ4066LS02 Service is Running
SAS JVM3 SASQC1AUQ4066LS01 Service is Running"
| rename _raw as raw
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g"
| makemv delim="!!!!" raw
| eval _raw = mvindex(raw,0)
| eval raw = mvindex(raw,1,mvcount(raw))
| mvexpand raw
| eval _raw = _raw.raw
Thanks..! It worked
Does every line begin with "SAS"? Is there any other information in the _raw for the event? Can you post a full example event, in the exact format they occur (without sensitive data, obviously).