Getting Data In

splunk data input

syloee
Explorer

This is data file( ip -- [time] text &&& ip -- [time] text &&& ip -- [time] text &&&)

41.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&itemId=EST-16&product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&&&130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-12&product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&&&141.146.8.66 - -

-> i want to this ↓

ip -- [time] text

ip -- [time] text

ip -- [time] text

 

What can I do? (use LINE_BREAKER, etc)

Labels (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@syloee 

Just change YOUR_SOURCETYPE with your original sourcetype.

 

[ YOUR_SOURCETYPE ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(&&&)
NO_BINARY_CHECK=true

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @syloee 

Can you try this, you should set Timestamp extraction settings as well and the following props.conf should be deployed to HF/indexer.

As per docs,  

NOTE: You get a significant boost to processing speed when you use
  LINE_BREAKER to delimit multi-line events (as opposed to using
  SHOULD_LINEMERGE=true to reassemble individual lines into multi-line events).
[<your_sourcetype>]
SHOULD_LINEMERGE=false
LINE_BREAKER=(&&&)\d+.\d+.\d+.\d+

---

An upvote would be appreciated and Accept solution if it helps!

 

Tags (2)
0 Karma

syloee
Explorer

 

 
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@syloee 

Just change YOUR_SOURCETYPE with your original sourcetype.

 

[ YOUR_SOURCETYPE ]
SHOULD_LINEMERGE=true
LINE_BREAKER=(&&&)
NO_BINARY_CHECK=true

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

Rkyadav0235
Loves-to-Learn

I am not getting events data,could you help me 

0 Karma

syloee
Explorer
  1.  

     
0 Karma
Get Updates on the Splunk Community!

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...