Re: Multiple lines in a single event CSV

rdgg97 · ‎08-12-2019

Hi.

I have the following CSV entry. The problem is that splunk take events from every line, but i have to merge multiple lines in a single event.

101,102,103

104,105,106

107,108,109
,,,RA,FA,DA
,,,TE,TS,POL

110,111,112

Kawtar · ‎08-13-2019

Hello,

There are other settings you may need to specify in your props.conf.

Make sure SHOULD_LINEMERGE is set to true.

     ## props.conf ##

     SHOULD_LINEMERGE = TRUE

Regards,

Sukisen1981 · ‎08-12-2019

how does splunk show the events now and how do you want it?

rdgg97 · ‎08-13-2019

Splunk shows the events as follow:

Event) INFO

1) 101,102,103
2) 104,105,106
3) 107,108,109
4) , , RA, FA, DA
5) , , TE, TS, POL
6) 110,111,112

And I want to splunk take events 3,4 & 5 as one

1) 101,102,103
2) 104,105,106
3) 107,108,109
, , RA, FA, DA
, , TE, TS, POL
6) 110,111,112

Sukisen1981 · ‎08-13-2019

try this in your props.conf
Add a new stanza for your sourcetype, make sure to save your sourcetype while uploading the csv as a unique name
[your unique sourcetype]
BREAK_ONLY_BEFORE = ^\d+\s*$
make
SHOULD_LINEMERGE = FALSE, revert back the default settings for SHOULD_LINEMERGE

Kawtar · ‎08-12-2019

Hello
You should use this settings you may need to specify in your props.conf.

SHOULD_LINEMERGE = true

rdgg97 · ‎08-13-2019

Thank you. I tried but nothing changed.

Multiple lines in a single event CSV

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Join the Conversation

Multiple lines in a single event CSV

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community