Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are multiline fields not parsed properly?

sivaranjiniG
Path Finder
‎02-14-2022 01:22 AM

I have below logs file i indexed with props below.

 

type=PROCTITLE msg=audit(02/08/2022 15:00:01.749:4321) : proctitle=xxxx
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=1 name=xxx  mode=file,644 
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=0 name=sfsdfds  mode=file,644 ouid=root 
type=CWD msg=audit(02/08/2022 15:00:01.749:4321) :  cwd=/
type=SYSCALL msg=audit(02/08/2022 15:00:01.749:4321) : arch=x86_64 syscall=open success=yes exit=3 a0=dsfdsfds a1=dfsdf a2=sdfsdf a3=sdfsdf 
----
type=CRED_ACQ msg=audit(02/08/2022 15:00:01.749:4322) : pid=30891 
----
type=LOGIN msg=audit(02/08/2022 15:00:01.751:4323) : pid=30891 
----
type=USER_ACCT msg=audit(02/08/2022 15:00:01.751:4324) : pid=30892 
----

 

Props.conf

[src_type]
SHOULD_LINEMERGE = false
LINE_BREAKER = (----\s)

Its properly get indexed with line breaking but when i search for values(type) on search head its not giving all the values 

for example, from the first event values(type) suppose to be multivalue field with 

PROCTITLE, PATH, CWD,  SYSCALL
but it only has single value PROCTITLE
 
why type value is not properly getting extracted. 
 
Am i missing something with props configuration???
 
Thanks for the help in advance )
Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-14-2022 11:14 PM

In case of automatic KV extractions Splunk only gets first value (or so it seems). You have to define custom extractions to deal with such situations and use

MV_ADD = <boolean>
* NOTE: This setting is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which
  already exists.
* If set to true, the extractor makes the field a multivalued field and
  appends the newly found value, otherwise the newly found value is
  discarded.
* Default: false

in your transforms

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-14-2022 11:14 PM

In case of automatic KV extractions Splunk only gets first value (or so it seems). You have to define custom extractions to deal with such situations and use

MV_ADD = <boolean>
* NOTE: This setting is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which
  already exists.
* If set to true, the extractor makes the field a multivalued field and
  appends the newly found value, otherwise the newly found value is
  discarded.
* Default: false

in your transforms

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎02-14-2022 10:36 PM

The props you specify are for index time parsing and you are saying the line-breaker is working as expected.

By default, Splunk uses search-time field extraction for (key=value) pairs.

But in your case it is not working so just to validate run the below query to see what you get:

index=<your-data-index> sourcetype="src_type" | extract pairdelim=" " kvdelim="="

 

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...