- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Split logs with split
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone
Someone did this?, I'm trying to split the logs with a split, usually I get the following log:
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
But I wish I had this log divided as follows:
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open
Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
Someone who has achieved?
I tried: search ... | eval _raw=split(_raw,"Open;")
But I did not get 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I tried to be a little more clear up an image, but requires more "Karma".
What happens is that I make a transaction ( SEARCH ... | transaction maxspan=24h Username IP), but I _raw bundles more than you'd like, staying well:
>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
And would separate the _raw to look like this:
>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
>_raw 2
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
>_raw 3
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
I tried to do with this: SEARCH ... | transaction maxspan=24h Username IP | eval _raw=split(_raw,"disconnected"), but it did not work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try.
search ...|makemv delim=";" _raw |mvexpand _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep this will work, but be aware that both events will have an identical timestamp according to Splunk (Sep 20 00:37:19)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I tried to be a little more clear up an image, but requires more "Karma".
What happens is that I make a transaction ( SEARCH ... | transaction maxspan=24h Username IP), but I _raw bundles more than you'd like, staying well:
>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
And would separate the _raw to look like this:
>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
>_raw 2
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
>_raw 3
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
I tried to do with this: SEARCH ... | transaction maxspan=24h Username IP | eval _raw=split(_raw,"disconnected"), but it did not work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks gfuente!
This helped me! Thank you all!
:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
What you have to do is change the way of doing the transaction.
Use this: transaction startswith="Session Open" endswith="Session disconnected"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
You could do this with a SEARCH? It really, this log is the product of a TRANSACTION. Log is a more complex, but for simplicity I consult understanding this.
I hope I understand.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not really clear what you're trying to do here I'm sorry. If the event that you provided is as you've posted, then data is not being brought into Splunk correctly and should be fixed.
If you're trying to process a merged event after a | transaction command has been applied, then I think you might be walking down the wrong path.
Ultimately it depends on:
- The nature of your raw event logs (they may need to be sanitised)
- What exactly you're trying to do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jrodriguezap,
I think the issue here is with the configuration of your event breaking rather than using the split command. SHould the logs really be put together like that? If not, then you're going to need to play around with your props.conf to split them accordingly.
Using your example:
[your_sourcetype]
LINE_BREAKER=([;\r\n]+\s?)
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
This may not be the ideal way to do it (I'm a bit tired right now), but it gives me the following results:
References:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much R.Turk.
Tell me, and instead of separating by props.conf, that way you could do it in the SEARCH?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
It seems that you are not indexing logs properly, as it should break events by timestamp, and then you already will get the events splited by time.
So, post your props.conf configuration for this sourcetype, so we can propose you the best way to index those events
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello gfuente
This I want in a SEARCH
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
