Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split multiple lines of data into a single individual line in splunk?

Hemnaath
Motivator
‎06-20-2018 05:33 AM

Hi All, We are monitoring the wtmpx data from the Unix machines via splunk using the Splunk add-on for Unix, based on this add-on we could see the data from the wtmpx file in splunk, but currently we could see the data ingesting from the wtmpx file into splunk with multiple line like shown below.

  6/20/18
6:26:03.000 AM  
USERNAME        LINE        HOSTNAME                                  TIME
HXXX019        pts/1       w442xty1.XXXX.com                     Jun 19 18:40
Hxxx007        pts/5       yb33gnn1.XXXX.com                     Jun 19 08:53


6/20/18
6:23:33.000 AM  
USERNAME        LINE        HOSTNAME                                  TIME
HXXX019        pts/1       w442xty1.XXXX.com                     Jun 19 18:40
HXXX007        pts/5       yb33gnn1.XXXX.com                     Jun 19 08:53

But instead of multiple line we want to have it as single event like this 

USERNAME        LINE        HOSTNAME                                  TIME
HXXX019        pts/1       w442xty1.XXXX.com                     Jun 19 18:40

USERNAME        LINE        HOSTNAME                                  TIME
HXXX007        pts/5       yb33gnn1.XXXX.com                    Jun 19 08:53

And also if there is no content in the log then it should be removed from splunk.
example: 

    USERNAME        LINE        HOSTNAME                                  TIME

host=r3crp00   source=who        sourcetype=who

Props.conf details for the sourcetype=who 

[who]
SHOULD_LINEMERGE=false
LINE_BREAKER=^()$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT

sourcetype=lastlog

[lastlog]
## Override system/default lastlog sourcetype invalidation
invalid_cause =
SHOULD_LINEMERGE=false
LINE_BREAKER=^()$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT

Kindly guide me how to configure this in the props.conf file.

thanks in advance.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Hemnaath
Motivator
‎06-20-2018 07:53 AM

Hi All,

Got how to split the multiple event in to single individual event using the Line_Breaker stanza in props.conf 

 [who]
 SHOULD_LINEMERGE=false
 LINE_BREAKER=([\r\n]+)
 TRUNCATE=1000000
 DATETIME_CONFIG = CURRENT

[lastlog]
 ## Override system/default lastlog sourcetype invalidation
 invalid_cause =
 SHOULD_LINEMERGE=false
 LINE_BREAKER=([\r\n]+)
 TRUNCATE=1000000
 DATETIME_CONFIG = CURRENT

View solution in original post

Reply
Solved! Jump to solution
Solution

Hemnaath
Motivator
‎06-20-2018 07:53 AM

Hi All,

Got how to split the multiple event in to single individual event using the Line_Breaker stanza in props.conf 

 [who]
 SHOULD_LINEMERGE=false
 LINE_BREAKER=([\r\n]+)
 TRUNCATE=1000000
 DATETIME_CONFIG = CURRENT

[lastlog]
 ## Override system/default lastlog sourcetype invalidation
 invalid_cause =
 SHOULD_LINEMERGE=false
 LINE_BREAKER=([\r\n]+)
 TRUNCATE=1000000
 DATETIME_CONFIG = CURRENT
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...