Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my props.conf to keep multiline events containing XML as one event?

shitching
New Member
‎12-01-2016 04:52 AM

Hi,

I’m trying to create a new source type for the first time. I’ve been at it all morning and I’m pretty sure I must be missing something fundamental.

The data I’m importing is quite a messy log file. Some events contain XML spread across multiple lines, and where I’m having trouble is keeping the multiline events as one event.

To make life easier (I hope), I’ve added a new column (called “blah”) to the beginning of each event so it’s easier to tell when a new event starts. To help troubleshoot, I’ve created this very simple dummy log file:

blah    data
blah    a single line 1
blah    multiple lines one
multiple lines two
multiple lines three
blah    a single line 2

This should appear as a header with two columns called “blah” and “data”, there are three events:

Event 1:
blah a single line 1

Event 2:
blah multiple lines one
multiple lines two
multiple lines three

Event 3:
blah a single line 2

Here’s what the event type looks like in props.conf:

[fsv]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = blah
pulldown_type = true
INDEXED_EXTRACTIONS = tsv
FIELD_DELIMITER=tab
HEADER_FIELD_DELIMITER=tab
KV_MODE = none
category = Structured
description = Fancy seperated value format. Set header and other settings in "Delimited Settings"

I’ve also tried various configurations with LINE_BREAKER but everything I’ve tried still results in one event for each line.

0 Karma
Reply

shitching
New Member
‎01-06-2017 02:30 AM

Thanks. In the end I used:

BREAK_ONLY_BEFORE = blah
SHOULD_LINEMERGE=true

and removed the INDEXED_EXTRACTIONS. Then used a field extraction to pull out the tab-delimited fields.

0 Karma
Reply

maciep
Champion
‎12-01-2016 05:29 PM

This stanza worked for me on you sample data set. I'm not sure, however, if you'll be able to use indexed extractions and get the data in the format you want. I think INDEXED_EXTRACTIONS is done at input time and may then actually skip parsing. It might be easier to just forgo the header in your file, index the data the way you want and then create extractions to pull the fields out of your data at search time.

[my:sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=blah)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...