Getting Data In

Splunk DB Connect: How to configure an input to properly index a database column that can have a multiline field?

danisam
New Member

Hello ,

I am using Splunk DB Connect to input data to an index in splunk.
I have the raw data below that I can obtain after configuring the Input from the DB Connect app.
I have a problem though with my mysql database column called "rate" where i can have multiple lines.
I used:
- Key-Value based
- Multiline Key-Value based

In the first option, my result was to have events for each line in this column, and for the second format using multiline, I have only the first line for this value:
Rate=Increment: 60 s

How can I perform this input task?

2015-03-01T00:03:32.000
RadAcctId=45
Realm=xxxxvoip.com
NASIPAddress=201.150.38.168
NASPortId=5060
NASPortType=
AcctStopTime=1425190234.000
AcctSessionTime=422
AcctAuthentic=
ConnectInfo_start=
ConnectInfo_stop=
AcctInputOctets=4327420
AcctOutputOctets=4329752
AcctTerminateCause=200
ServiceType=outgoing
ENUMtld=none
FramedIPAddress=
AcctStartDelay=1
AcctStopDelay=1
SipMethod=Invite
SipResponseCode=200
SipToTag=gK02b0adc3
SipFromTag=as0df4d303
SipTranslatedRequestURI=0xxxxxxx@0.0.0.0
SipUserAgents=Asterisk PBX 1.8.26.1=2Bunknown agent
SipApplicationType=audio
SipCodecs=G711a
SipRPID=8113650922
SipRPIDHeader=
SourceIP=0.0.0.0
SourcePort=6243
CanonicalURI=0052xxxx@xxxvoip.com
DelayTime=
Timestamp=0
DestinationId=5244
Rate=Increment: 60 s
     Min duration: 60 s
        Duration: 480 s
             App: audio
     Destination: 5244
        Customer: domain=voip.com
         Connect: 0.0000
       StartTime: 2015-03-01 00:03:32
    --
            Span: 1
        Duration: 480 s
       ProfileId: xxxx_msi / weekend
          RateId: xxxx_msi / 0-24h
            Rate: 0.6200 / 60 s
           Price: 4.9600
Price=4.9600
Normalized=1
BillingId=378387
MediaInfo=
RTPStatistics=
FromHeader==221010=22 =3Csip:xxxxx@xxxxvoip.com=3E=3Btag=3Das0df4d303
UserAgent=Asterisk PBX 1.8.26.1
Contact=
0 Karma

bjoernjensen
Contributor

Hi,

something like the following in your inputs.conf might help:
output.format = mkv

All the best - B

0 Karma

danisam
New Member

Think i need to add a SHOULD_LINEMERGE = true ?

0 Karma

bjoernjensen
Contributor

May I misunderstood you. I thought the content above (code block) is already your output format of db connect. Sorry.

Maybe it is better to use output.template. There you would define your format like this:
$column_name_1$ my seperator $column_name_2$ etc

For details have a look here:
http://docs.splunk.com/Documentation/DBX/1.1.7/DeployDBX/inputsspec

and here:
http://answers.splunk.com/answers/172153/why-splunk-db-connect-is-not-properly-importing-da.html

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...