Getting Data In

Why are multiline fields not parsed properly?

sivaranjiniG
Path Finder

I have below logs file i indexed with props below.

 

type=PROCTITLE msg=audit(02/08/2022 15:00:01.749:4321) : proctitle=xxxx
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=1 name=xxx  mode=file,644 
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=0 name=sfsdfds  mode=file,644 ouid=root 
type=CWD msg=audit(02/08/2022 15:00:01.749:4321) :  cwd=/
type=SYSCALL msg=audit(02/08/2022 15:00:01.749:4321) : arch=x86_64 syscall=open success=yes exit=3 a0=dsfdsfds a1=dfsdf a2=sdfsdf a3=sdfsdf 
----
type=CRED_ACQ msg=audit(02/08/2022 15:00:01.749:4322) : pid=30891 
----
type=LOGIN msg=audit(02/08/2022 15:00:01.751:4323) : pid=30891 
----
type=USER_ACCT msg=audit(02/08/2022 15:00:01.751:4324) : pid=30892 
----

 

Props.conf

[src_type]
SHOULD_LINEMERGE = false
LINE_BREAKER = (----\s)

Its properly get indexed with line breaking but when i search for values(type) on search head its not giving all the values 

for example, from the first event values(type) suppose to be multivalue field with 

PROCTITLE, PATH, CWD,  SYSCALL
but it only has single value PROCTITLE
 
why type value is not properly getting extracted. 
 
Am i missing something with props configuration???
 
Thanks for the help in advance )
Labels (3)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

In case of automatic KV extractions Splunk only gets first value (or so it seems). You have to define custom extractions to deal with such situations and use

MV_ADD = <boolean>
* NOTE: This setting is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which
  already exists.
* If set to true, the extractor makes the field a multivalued field and
  appends the newly found value, otherwise the newly found value is
  discarded.
* Default: false

in your transforms

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

In case of automatic KV extractions Splunk only gets first value (or so it seems). You have to define custom extractions to deal with such situations and use

MV_ADD = <boolean>
* NOTE: This setting is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which
  already exists.
* If set to true, the extractor makes the field a multivalued field and
  appends the newly found value, otherwise the newly found value is
  discarded.
* Default: false

in your transforms

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

The props you specify are for index time parsing and you are saying the line-breaker is working as expected.

By default, Splunk uses search-time field extraction for (key=value) pairs.

But in your case it is not working so just to validate run the below query to see what you get:

index=<your-data-index> sourcetype="src_type" | extract pairdelim=" " kvdelim="="

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...