Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

splunk data input

syloee
Explorer
‎06-27-2021 10:22 PM

This is data file( ip -- [time] text &&& ip -- [time] text &&& ip -- [time] text &&&)

41.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&itemId=EST-16&product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&&&130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-12&product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&&&141.146.8.66 - -

-> i want to this ↓

ip -- [time] text

ip -- [time] text

ip -- [time] text

 

What can I do? (use LINE_BREAKER, etc)

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-27-2021 11:12 PM

@syloee 

Just change YOUR_SOURCETYPE with your original sourcetype.

 

 

[ YOUR_SOURCETYPE ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(&&&)
NO_BINARY_CHECK=true

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-27-2021 11:16 PM

Hi @syloee 

Can you try this, you should set Timestamp extraction settings as well and the following props.conf should be deployed to HF/indexer.

As per docs,  

NOTE: You get a significant boost to processing speed when you use
  LINE_BREAKER to delimit multi-line events (as opposed to using
  SHOULD_LINEMERGE=true to reassemble individual lines into multi-line events).
[<your_sourcetype>]
SHOULD_LINEMERGE=false
LINE_BREAKER=(&&&)\d+.\d+.\d+.\d+

---

An upvote would be appreciated and Accept solution if it helps!

 

Tags (2)
0 Karma
Reply
Solved! Jump to solution

syloee
Explorer
‎06-27-2021 11:49 PM

 

 
0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-27-2021 11:12 PM

@syloee 

Just change YOUR_SOURCETYPE with your original sourcetype.

 

 

[ YOUR_SOURCETYPE ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(&&&)
NO_BINARY_CHECK=true

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

Rkyadav0235
Loves-to-Learn
‎09-14-2021 11:45 PM

I am not getting events data,could you help me 

0 Karma
Reply
Solved! Jump to solution

syloee
Explorer
‎06-27-2021 11:49 PM

  1.  

     
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...