Solved: Re: Why are multiline fields not parsed properly?

sivaranjiniG · ‎02-14-2022

I have below logs file i indexed with props below.

type=PROCTITLE msg=audit(02/08/2022 15:00:01.749:4321) : proctitle=xxxx
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=1 name=xxx  mode=file,644 
type=PATH msg=audit(02/08/2022 15:00:01.749:4321) : item=0 name=sfsdfds  mode=file,644 ouid=root 
type=CWD msg=audit(02/08/2022 15:00:01.749:4321) :  cwd=/
type=SYSCALL msg=audit(02/08/2022 15:00:01.749:4321) : arch=x86_64 syscall=open success=yes exit=3 a0=dsfdsfds a1=dfsdf a2=sdfsdf a3=sdfsdf 
----
type=CRED_ACQ msg=audit(02/08/2022 15:00:01.749:4322) : pid=30891 
----
type=LOGIN msg=audit(02/08/2022 15:00:01.751:4323) : pid=30891 
----
type=USER_ACCT msg=audit(02/08/2022 15:00:01.751:4324) : pid=30892 
----

Props.conf

[src_type]
SHOULD_LINEMERGE = false
LINE_BREAKER = (----\s)

Its properly get indexed with line breaking but when i search for values(type) on search head its not giving all the values

for example, from the first event values(type) suppose to be multivalue field with

PROCTITLE, PATH, CWD, SYSCALL
but it only has single value PROCTITLE

why type value is not properly getting extracted.

Am i missing something with props configuration???

Thanks for the help in advance )

PickleRick · ‎02-14-2022

In case of automatic KV extractions Splunk only gets first value (or so it seems). You have to define custom extractions to deal with such situations and use

MV_ADD = <boolean>
* NOTE: This setting is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which
  already exists.
* If set to true, the extractor makes the field a multivalued field and
  appends the newly found value, otherwise the newly found value is
  discarded.
* Default: false

in your transforms

View solution in original post

PickleRick · ‎02-14-2022

In case of automatic KV extractions Splunk only gets first value (or so it seems). You have to define custom extractions to deal with such situations and use

MV_ADD = <boolean>
* NOTE: This setting is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which
  already exists.
* If set to true, the extractor makes the field a multivalued field and
  appends the newly found value, otherwise the newly found value is
  discarded.
* Default: false

in your transforms

VatsalJagani · ‎02-14-2022

The props you specify are for index time parsing and you are saying the line-breaker is working as expected.

By default, Splunk uses search-time field extraction for (key=value) pairs.

But in your case it is not working so just to validate run the below query to see what you get:

index=<your-data-index> sourcetype="src_type" | extract pairdelim=" " kvdelim="="

Why are multiline fields not parsed properly?

indexer

props.conf

transforms.conf

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?