Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to break in Splunk for the following data ??

rakesh_498115
Motivator
‎03-20-2014 07:12 AM

Hi .

I Have my data something like this...

SRFR10279A1 R10A1 R0033201 cdain         LOW             SDEDS1            C1600002          0          0          0 20140316 00002000 20140316 00000600 20140316 0
0000600 000000 NPROTTCP  cdteipal01                      00 04096 U15 ./TPULL/                         /host/dsds/XXXXX/EIPAL


SRFR10279A1 R102A1 R0033201 cdmin         LOW             SDEDS1            C1600001          0          0          0 20140316 00001000 20140316 00000600 20140316 0
0000600 000000 NPROTTCP  cdteipal01                      00 04096 U15 ./TPUSAGE/EIPAL_USERDETAIL_PULL_20140316000002                   /deds-host/ds/XXXXX/EIPAL


USION   SION   R0201 xfr_deds        LOW             SDEDS             C1600001          0          0          0 20140316 00001000 20140316 00000600 20140316 0
0000600 000000 SSION  cdtronm01                       00 04096 U15 /host/wcadata/OUTGOING/XXX/./IPVS/

These are sample events .. all the event data is having two blank lines in b/w them....

Have tried something like this in my props.

[props]

BREAK_ONLY_BEFORE=[\r\n\]+\s
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
0 Karma
Reply

kristian_kolb
Ultra Champion
‎03-20-2014 12:52 PM

Firstly, your configs don't add up. BREAK_ONLY_BEFORE only has meaning when SHOULD_LINEMERGE is set to "true". Many times these kinds of problem arise in improper timestamp recognition.

Assuming that this is a single-line event, and that the "201403016 00002000" (in the first event) is the timestamp, meaning 2014-03-16 00:00:20,00, something like this could work;

props.conf

[your_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 250
TIME_PREFIX = ^\s*(\S+\s+){10}
TIME_FORMAT = %Y%m%d %H%M%S%2N

EDIT: fixed a typo in TIME_FORMAT
/k

0 Karma
Reply

rakesh_498115
Motivator
‎03-27-2014 12:53 AM

its is multiline..i have 2 lines of data cotinously with 2 empty lines space b/w them..

0 Karma
Reply

kristian_kolb
Ultra Champion
‎03-24-2014 06:22 PM

err, I made a typo (in TIME_FORMAT), but perhaps you spotted that and took the appropriate action.

Fixed it now.

Could you tell us more about your event format? single line, multi line?

0 Karma
Reply

rakesh_498115
Motivator
‎03-21-2014 02:02 AM

Hi Kristian... thanks for ur update.. this even didnt work on my data 😞

0 Karma
Reply

somesoni2
Revered Legend
‎03-20-2014 07:33 AM

Are these data spread over multiple lines or whole event appears in one line?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...