Getting Data In

splunk data input

syloee
Explorer

This is data file( ip -- [time] text &&& ip -- [time] text &&& ip -- [time] text &&&)

41.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&itemId=EST-16&product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&&&130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-12&product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&&&141.146.8.66 - -

-> i want to this ↓

ip -- [time] text

ip -- [time] text

ip -- [time] text

 

What can I do? (use LINE_BREAKER, etc)

Labels (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@syloee 

Just change YOUR_SOURCETYPE with your original sourcetype.

 

[ YOUR_SOURCETYPE ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(&&&)
NO_BINARY_CHECK=true

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @syloee 

Can you try this, you should set Timestamp extraction settings as well and the following props.conf should be deployed to HF/indexer.

As per docs,  

NOTE: You get a significant boost to processing speed when you use
  LINE_BREAKER to delimit multi-line events (as opposed to using
  SHOULD_LINEMERGE=true to reassemble individual lines into multi-line events).
[<your_sourcetype>]
SHOULD_LINEMERGE=false
LINE_BREAKER=(&&&)\d+.\d+.\d+.\d+

---

An upvote would be appreciated and Accept solution if it helps!

 

Tags (2)
0 Karma

syloee
Explorer

 

 
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@syloee 

Just change YOUR_SOURCETYPE with your original sourcetype.

 

[ YOUR_SOURCETYPE ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(&&&)
NO_BINARY_CHECK=true

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

Rkyadav0235
Loves-to-Learn

I am not getting events data,could you help me 

0 Karma

syloee
Explorer
  1.  

     
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...