Getting Data In

splunk data input

syloee
Explorer

This is data file( ip -- [time] text &&& ip -- [time] text &&& ip -- [time] text &&&)

41.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&itemId=EST-16&product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&&&130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-12&product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&&&141.146.8.66 - -

-> i want to this ↓

ip -- [time] text

ip -- [time] text

ip -- [time] text

 

What can I do? (use LINE_BREAKER, etc)

Labels (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@syloee 

Just change YOUR_SOURCETYPE with your original sourcetype.

 

[ YOUR_SOURCETYPE ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(&&&)
NO_BINARY_CHECK=true

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @syloee 

Can you try this, you should set Timestamp extraction settings as well and the following props.conf should be deployed to HF/indexer.

As per docs,  

NOTE: You get a significant boost to processing speed when you use
  LINE_BREAKER to delimit multi-line events (as opposed to using
  SHOULD_LINEMERGE=true to reassemble individual lines into multi-line events).
[<your_sourcetype>]
SHOULD_LINEMERGE=false
LINE_BREAKER=(&&&)\d+.\d+.\d+.\d+

---

An upvote would be appreciated and Accept solution if it helps!

 

Tags (2)
0 Karma

syloee
Explorer

 

 
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@syloee 

Just change YOUR_SOURCETYPE with your original sourcetype.

 

[ YOUR_SOURCETYPE ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(&&&)
NO_BINARY_CHECK=true

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

Rkyadav0235
Loves-to-Learn

I am not getting events data,could you help me 

0 Karma

syloee
Explorer
  1.  

     
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...