Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

line break to different entries

arunkuriakose
Explorer
‎09-06-2024 01:24 AM

arunkuriakose_0-1725610979258.png

 

I have logs indexed like this. How to break entries based on each lines . i need each line as a seperate entry.

 

I tried to do this via line breaker but didnt succeed. Any method to do it via search after indexing

 

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-06-2024 02:32 PM

There are several different issues touched here.

As you have already indexed data, you cannot break the events again and re-index them. You can, however manipulate your data during searching. But you will have to "break" the data into separate results on each search explicitly using search commands.

If you want newly ingested data properly broken and indexed as separate events you need to configure your ingestion settings properly. But that will only work on newly ingested data. Old data will stay as it was.

0 Karma
Reply

arunkuriakose
Explorer
‎09-06-2024 03:06 PM

Hi

 

thanks for the response. If i can reindex the data how to apply line breaking settings effficiently to achieve this

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-07-2024 01:16 AM

As @ITWhisperer said - show us your raw events and what have you tried so far because maybe your idea was OK but applied in a wrong place.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-06-2024 01:35 AM

Please share your raw events and the configurations you have tried

0 Karma
Reply

arunkuriakose
Explorer
‎09-09-2024 02:42 AM

Hi

 

thanks for the response .

sample logs: (these are coming as a single event as mentioned in screenshot)

zowin.exposed. 3600 in ns ns1.dyna-ns.net.

zowin.exposed. 3600 in ns ns2.dyna-ns.net.

zuckerberg.exposed. 3600 in ns ns1.afternic.com.

zuckerberg.exposed. 3600 in ns ns2.afternic.com.

zwiebeltvde.exposed. 3600 in ns docks13.rzone.de.

zwiebeltvde.exposed. 3600 in ns shades01.rzone.de

I am applying this on UF config . (/etc/system/local/propes.conf

[zone_files]

LINE_BREAKER= ([\r\n]+)
SHOULD_LINEMERGE = false


~

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-09-2024 04:15 AM

OK. Let's back up a little.

1. How are the events ingested? Read from files with a monitor input or any other way? (like HEC input or a modular input). You mention UF so I suspect monitor input(s) but I want to be sure.

2. I assume you meant props.conf, not propes.conf - that was just a typo here, right?

3. Line breaking is _not_ happening on the UF. You need to have your LINE_BREAKER defined on the first heavy component that the event passes through (if you're sending from UF directly to indexers, you need this setting on the indexers).

Reply

arunkuriakose
Explorer
‎09-09-2024 10:39 PM

@PickleRick  Your comments helped. I  was applying this on the UF level and changing to indexers made it work. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...