Getting Data In

Multiple lines in a single event CSV

rdgg97
Explorer

Hi.

I have the following CSV entry. The problem is that splunk take events from every line, but i have to merge multiple lines in a single event.

101,102,103

104,105,106

107,108,109
,,,RA,FA,DA
,,,TE,TS,POL

110,111,112

Tags (1)
0 Karma

Kawtar
Path Finder

Hello,

There are other settings you may need to specify in your props.conf.

Make sure SHOULD_LINEMERGE is set to true.

     ## props.conf ##

     SHOULD_LINEMERGE = TRUE

Regards,

0 Karma

Sukisen1981
Champion

how does splunk show the events now and how do you want it?

0 Karma

rdgg97
Explorer

Splunk shows the events as follow:

Event) INFO

1) 101,102,103
2) 104,105,106
3) 107,108,109
4) , , RA, FA, DA
5) , , TE, TS, POL
6) 110,111,112

And I want to splunk take events 3,4 & 5 as one

1) 101,102,103
2) 104,105,106
3) 107,108,109
, , RA, FA, DA
, , TE, TS, POL
6) 110,111,112

0 Karma

Sukisen1981
Champion

try this in your props.conf
Add a new stanza for your sourcetype, make sure to save your sourcetype while uploading the csv as a unique name
[your unique sourcetype]
BREAK_ONLY_BEFORE = ^\d+\s*$
make
SHOULD_LINEMERGE = FALSE, revert back the default settings for SHOULD_LINEMERGE

Kawtar
Path Finder

Hello
You should use this settings you may need to specify in your props.conf.

SHOULD_LINEMERGE = true

0 Karma

rdgg97
Explorer

Thank you. I tried but nothing changed.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...