I have below logs file i indexed with props below.
type=PROCTITLE msg=audit(02/08/2022 15:00:01.749:4321) : proctitle=xxxx
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=1 name=xxx mode=file,644
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=0 name=sfsdfds mode=file,644 ouid=root
type=CWD msg=audit(02/08/2022 15:00:01.749:4321) : cwd=/
type=SYSCALL msg=audit(02/08/2022 15:00:01.749:4321) : arch=x86_64 syscall=open success=yes exit=3 a0=dsfdsfds a1=dfsdf a2=sdfsdf a3=sdfsdf
----
type=CRED_ACQ msg=audit(02/08/2022 15:00:01.749:4322) : pid=30891
----
type=LOGIN msg=audit(02/08/2022 15:00:01.751:4323) : pid=30891
----
type=USER_ACCT msg=audit(02/08/2022 15:00:01.751:4324) : pid=30892
----
Props.conf
[src_type]
SHOULD_LINEMERGE = false
LINE_BREAKER = (----\s)
Its properly get indexed with line breaking but when i search for values(type) on search head its not giving all the values
for example, from the first event values(type) suppose to be multivalue field with
In case of automatic KV extractions Splunk only gets first value (or so it seems). You have to define custom extractions to deal with such situations and use
MV_ADD = <boolean> * NOTE: This setting is only valid for search-time field extractions. * Optional. Controls what the extractor does when it finds a field which already exists. * If set to true, the extractor makes the field a multivalued field and appends the newly found value, otherwise the newly found value is discarded. * Default: false
in your transforms
In case of automatic KV extractions Splunk only gets first value (or so it seems). You have to define custom extractions to deal with such situations and use
MV_ADD = <boolean> * NOTE: This setting is only valid for search-time field extractions. * Optional. Controls what the extractor does when it finds a field which already exists. * If set to true, the extractor makes the field a multivalued field and appends the newly found value, otherwise the newly found value is discarded. * Default: false
in your transforms
The props you specify are for index time parsing and you are saying the line-breaker is working as expected.
By default, Splunk uses search-time field extraction for (key=value) pairs.
But in your case it is not working so just to validate run the below query to see what you get:
index=<your-data-index> sourcetype="src_type" | extract pairdelim=" " kvdelim="="