- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Splunk DB Connect: How to configure an input t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk DB Connect: How to configure an input to properly index a database column that can have a multiline field?
Hello ,
I am using Splunk DB Connect to input data to an index in splunk.
I have the raw data below that I can obtain after configuring the Input from the DB Connect app.
I have a problem though with my mysql database column called "rate" where i can have multiple lines.
I used:
- Key-Value based
- Multiline Key-Value based
In the first option, my result was to have events for each line in this column, and for the second format using multiline, I have only the first line for this value:
Rate=Increment: 60 s
How can I perform this input task?
2015-03-01T00:03:32.000
RadAcctId=45
Realm=xxxxvoip.com
NASIPAddress=201.150.38.168
NASPortId=5060
NASPortType=
AcctStopTime=1425190234.000
AcctSessionTime=422
AcctAuthentic=
ConnectInfo_start=
ConnectInfo_stop=
AcctInputOctets=4327420
AcctOutputOctets=4329752
AcctTerminateCause=200
ServiceType=outgoing
ENUMtld=none
FramedIPAddress=
AcctStartDelay=1
AcctStopDelay=1
SipMethod=Invite
SipResponseCode=200
SipToTag=gK02b0adc3
SipFromTag=as0df4d303
SipTranslatedRequestURI=0xxxxxxx@0.0.0.0
SipUserAgents=Asterisk PBX 1.8.26.1=2Bunknown agent
SipApplicationType=audio
SipCodecs=G711a
SipRPID=8113650922
SipRPIDHeader=
SourceIP=0.0.0.0
SourcePort=6243
CanonicalURI=0052xxxx@xxxvoip.com
DelayTime=
Timestamp=0
DestinationId=5244
Rate=Increment: 60 s
Min duration: 60 s
Duration: 480 s
App: audio
Destination: 5244
Customer: domain=voip.com
Connect: 0.0000
StartTime: 2015-03-01 00:03:32
--
Span: 1
Duration: 480 s
ProfileId: xxxx_msi / weekend
RateId: xxxx_msi / 0-24h
Rate: 0.6200 / 60 s
Price: 4.9600
Price=4.9600
Normalized=1
BillingId=378387
MediaInfo=
RTPStatistics=
FromHeader==221010=22 =3Csip:xxxxx@xxxxvoip.com=3E=3Btag=3Das0df4d303
UserAgent=Asterisk PBX 1.8.26.1
Contact=
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
something like the following in your inputs.conf might help:
output.format = mkv
All the best - B
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Think i need to add a SHOULD_LINEMERGE = true ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May I misunderstood you. I thought the content above (code block) is already your output format of db connect. Sorry.
Maybe it is better to use output.template. There you would define your format like this:
$column_name_1$ my seperator $column_name_2$ etc
For details have a look here:
http://docs.splunk.com/Documentation/DBX/1.1.7/DeployDBX/inputsspec
and here:
http://answers.splunk.com/answers/172153/why-splunk-db-connect-is-not-properly-importing-da.html
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
