Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get Splunk DB Connect to respect multiline data in a column?

fredclown
Builder
‎11-13-2014 04:01 PM

I've got a table that I am pulling data into Splunk with DB Connect. I've got the database input and database connection created. I figured I would use Key-Value format for the output format as I have some columns that have multiline data in them and it appears that it is smart enough to figure that out and it quotes the column data and changing literal quotes in the data to escaped quotes. However, when I do searches on the data the multiline fields are being broken at the first line break or escaped quote. I've tried every output format that there is. I'm sure there is a way to fix this, but my hunch is I'm going to have to edit a props.conf file for it as I can't find anything in the interface to tell it how to behave the way I want. Am I correct in this?

0 Karma
Reply

musskopf
Builder
‎11-23-2014 08:14 AM

Hello,

I' using the multi-line key-value format. Here it looks inside $SPLUNK_HOME/etc/apps/dbx/local/inputs.conf:

[dbmon-tail://KKK/KKK Alerts]
index = ws_kkk_alerts
interval = 240
output.format = mkv
output.timestamp = 1
output.timestamp.column = LastModifiedUTC
output.timestamp.parse.format = yyyy-MM-dd' 'HH:mm:ss' 'Z
output.timestamp.format = yyyy-MM-dd' 'HH:mm:ss' 'Z
query = SELECT bla bla bla.... {{AND av.$rising_column$ > ?}}
sourcetype = kkk_alerts
tail.rising.column = LastModified
disabled = 0
table = KKK Alerts

Note the output.format = mkv.

0 Karma
Reply

aprameyaShyam
New Member
‎04-06-2015 02:28 AM

After using mkv, there is one event for each row. This is working fine.
But, the field that contains the text spanning multiple lines is truncated. It is not displaying the whole text. Could anyone please comment as to why is this happening?

0 Karma
Reply

fredclown
Builder
‎11-26-2014 03:30 PM

I tried mkv and it didn't work.The line break in the returned data was still messing up the field extraction.

0 Karma
Reply

musskopf
Builder
‎11-26-2014 03:36 PM

ok.. but is the event being split in multiple events? I mean, is a single DB row output by the query being broken into multiple events or is just the fact that the field extraction is broken?

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...