Getting Data In

Split logs with split

jrodriguezap
Contributor

Hello everyone
Someone did this?, I'm trying to split the logs with a split, usually I get the following log:

Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected

But I wish I had this log divided as follows:

Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open

Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected

Someone who has achieved?
I tried: search ... | eval _raw=split(_raw,"Open;")
But I did not get 😞

Tags (3)
0 Karma
1 Solution

jrodriguezap
Contributor

Sorry, I tried to be a little more clear up an image, but requires more "Karma".
What happens is that I make a transaction ( SEARCH ... | transaction maxspan=24h Username IP), but I _raw bundles more than you'd like, staying well:

>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected  
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected

And would separate the _raw to look like this:

>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected  
>_raw 2
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
>_raw 3
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected

I tried to do with this: SEARCH ... | transaction maxspan=24h Username IP | eval _raw=split(_raw,"disconnected"), but it did not work

View solution in original post

0 Karma

adrianathome
Communicator

Give this a try.

search ...|makemv delim=";" _raw |mvexpand _raw
0 Karma

rturk
Builder

Yep this will work, but be aware that both events will have an identical timestamp according to Splunk (Sep 20 00:37:19)

0 Karma

jrodriguezap
Contributor

Sorry, I tried to be a little more clear up an image, but requires more "Karma".
What happens is that I make a transaction ( SEARCH ... | transaction maxspan=24h Username IP), but I _raw bundles more than you'd like, staying well:

>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected  
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected

And would separate the _raw to look like this:

>_raw 1
Sep 20 00:37:19 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 00:57:26 Username = jrodiguez, IP = 190.43.138.114, Session disconnected  
>_raw 2
Sep 20 03:22:31 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 03:34:16 Username = jrodiguez, IP = 190.43.138.114, Session disconnected
>_raw 3
Sep 20 08:15:42 192.168.10.30: Username = jrodiguez, IP = 190.43.138.114, Session Open; Sep 20 09:21:54 Username = jrodiguez, IP = 190.43.138.114, Session disconnected

I tried to do with this: SEARCH ... | transaction maxspan=24h Username IP | eval _raw=split(_raw,"disconnected"), but it did not work

0 Karma

jrodriguezap
Contributor

Thanks gfuente!
This helped me! Thank you all!
:)

0 Karma

gfuente
Motivator

Hello

What you have to do is change the way of doing the transaction.

Use this: transaction startswith="Session Open" endswith="Session disconnected"

0 Karma

jrodriguezap
Contributor

Hello.
You could do this with a SEARCH? It really, this log is the product of a TRANSACTION. Log is a more complex, but for simplicity I consult understanding this.
I hope I understand.

Thanks

0 Karma

rturk
Builder

It's not really clear what you're trying to do here I'm sorry. If the event that you provided is as you've posted, then data is not being brought into Splunk correctly and should be fixed.

If you're trying to process a merged event after a | transaction command has been applied, then I think you might be walking down the wrong path.

Ultimately it depends on:
- The nature of your raw event logs (they may need to be sanitised)
- What exactly you're trying to do.

rturk
Builder

Hi jrodriguezap,

I think the issue here is with the configuration of your event breaking rather than using the split command. SHould the logs really be put together like that? If not, then you're going to need to play around with your props.conf to split them accordingly.

Using your example:

[your_sourcetype]
LINE_BREAKER=([;\r\n]+\s?)
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false

This may not be the ideal way to do it (I'm a bit tired right now), but it gives me the following results:

alt text

References:

0 Karma

jrodriguezap
Contributor

Thank you very much R.Turk.
Tell me, and instead of separating by props.conf, that way you could do it in the SEARCH?

0 Karma

gfuente
Motivator

Hello

It seems that you are not indexing logs properly, as it should break events by timestamp, and then you already will get the events splited by time.

So, post your props.conf configuration for this sourcetype, so we can propose you the best way to index those events

Regards

0 Karma

jrodriguezap
Contributor

Hello gfuente
This I want in a SEARCH

0 Karma
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...