Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk data input

syloee
Explorer
‎06-27-2021 10:22 PM

This is data file( ip -- [time] text &&& ip -- [time] text &&& ip -- [time] text &&&)

41.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&itemId=EST-16&product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&&&130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-12&product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&&&141.146.8.66 - -

-> i want to this ↓

ip -- [time] text

ip -- [time] text

ip -- [time] text

 

What can I do? (use LINE_BREAKER, etc)

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-27-2021 11:12 PM

@syloee 

Just change YOUR_SOURCETYPE with your original sourcetype.

 

 

[ YOUR_SOURCETYPE ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(&&&)
NO_BINARY_CHECK=true

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-27-2021 11:16 PM

Hi @syloee 

Can you try this, you should set Timestamp extraction settings as well and the following props.conf should be deployed to HF/indexer.

As per docs,  

NOTE: You get a significant boost to processing speed when you use
  LINE_BREAKER to delimit multi-line events (as opposed to using
  SHOULD_LINEMERGE=true to reassemble individual lines into multi-line events).
[<your_sourcetype>]
SHOULD_LINEMERGE=false
LINE_BREAKER=(&&&)\d+.\d+.\d+.\d+

---

An upvote would be appreciated and Accept solution if it helps!

 

Tags (2)
0 Karma
Reply
Solved! Jump to solution

syloee
Explorer
‎06-27-2021 11:49 PM

 

 
0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-27-2021 11:12 PM

@syloee 

Just change YOUR_SOURCETYPE with your original sourcetype.

 

 

[ YOUR_SOURCETYPE ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(&&&)
NO_BINARY_CHECK=true

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

Rkyadav0235
Loves-to-Learn
‎09-14-2021 11:45 PM

I am not getting events data,could you help me 

0 Karma
Reply
Solved! Jump to solution

syloee
Explorer
‎06-27-2021 11:49 PM

  1.  

     
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...