Re: Multiple lines in a single event CSV

rdgg97 · ‎08-12-2019

Hi.

I have the following CSV entry. The problem is that splunk take events from every line, but i have to merge multiple lines in a single event.

101,102,103

104,105,106

107,108,109
,,,RA,FA,DA
,,,TE,TS,POL

110,111,112

Kawtar · ‎08-13-2019

Hello,

There are other settings you may need to specify in your props.conf.

Make sure SHOULD_LINEMERGE is set to true.

     ## props.conf ##

     SHOULD_LINEMERGE = TRUE

Regards,

Sukisen1981 · ‎08-12-2019

how does splunk show the events now and how do you want it?

rdgg97 · ‎08-13-2019

Splunk shows the events as follow:

Event) INFO

1) 101,102,103
2) 104,105,106
3) 107,108,109
4) , , RA, FA, DA
5) , , TE, TS, POL
6) 110,111,112

And I want to splunk take events 3,4 & 5 as one

1) 101,102,103
2) 104,105,106
3) 107,108,109
, , RA, FA, DA
, , TE, TS, POL
6) 110,111,112

Sukisen1981 · ‎08-13-2019

try this in your props.conf
Add a new stanza for your sourcetype, make sure to save your sourcetype while uploading the csv as a unique name
[your unique sourcetype]
BREAK_ONLY_BEFORE = ^\d+\s*$
make
SHOULD_LINEMERGE = FALSE, revert back the default settings for SHOULD_LINEMERGE

Kawtar · ‎08-12-2019

Hello
You should use this settings you may need to specify in your props.conf.

SHOULD_LINEMERGE = true

rdgg97 · ‎08-13-2019

Thank you. I tried but nothing changed.

Multiple lines in a single event CSV

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation