Line Breaking for netstat only breaks on the first...

ekenne06 · ‎10-02-2020

have a scripted input that runs:

netstat -tupn and the output shows:

tcp x.x.x.x:38314 x.x.x.x:7075 ESTABLISHED 4144/java

tcp x.x.x.x:22 x.x.x.x:62601 ESTABLISHED 5830/sshd:

tcp x.x.x.x:37032 x.x.x.x:8080 ESTABLISHED 4144/java

tcp x.x.x.x:59344 x.x.x.x:49302 ESTABLISHED 4144/java

in my props.conf I have

[<sourcetype>]

BREAK_ONLY_BEFORE = (tcp)

SHOULD_LINEMERGE = false

the events are getting indexed but I only see the first event

tcp x.x.x.x:38314 x.x.x.x:7075 ESTABLISHED 4144/java

and nothing else gets indexed. What am I missing?

thambisetty · ‎10-02-2020

Change SHOULD_LINEMERGE = True

————————————
If this helps, give a like below.

ekenne06 · ‎10-03-2020

Why is that? I thought LINEMERGE meant taking individual events and making them 1 single event? I have a multi line event that I want to be single events. Am I miss understanding that line?

Line Breaking for netstat only breaks on the first line

props.conf

scripted input

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation