Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiline event query - Sharepoint logs

neilamoran
Explorer
‎08-15-2011 08:49 AM

I am trying to index logs from my Sharepoint farm into Splunk. I have managed to get Splunk to correctly deal with multiline events

The difficulty I have is in correctly dealing with the fields within the events that are created when the Sharepoint Message field has a larger number of characters.

As a simplified example, I might see lines like this:

Timestamp,1,2,3,The 
Timestamp*,1,2,3,sky
Timestamp*,1,2,3,is
Timestamp*,1,2,3,blue

Sharepoint uses the * after the timestamp to indicate a multiline event, duplicates all fields other than the Message field across all the lines in the event, and then splits the Message field across all the lines. In reality it further indicates the multiline event by using ellipses like so

Timestamp,1,2,3,The...
Timestamp*,1,2,3,...sky...
Timestamp*,1,2,3,...is...
Timestamp*,1,2,3,...blue

I'd like to get Splunk to index the example above as a single event like:

Timestamp,1,2,3,The sky is blue

...so (now I'm doing it! 😄 ) that I could search for things like Message="*sky*blue*" and return the single consolidated event, instead of nothing.

Any suggestions? I'm not sure what would be the best approach here.

UPDATE: Just realised I hadn't explained what currently seems to happen with the fields set in my props.conf - basically the fields get read correctly out of the first line (and for all single line events) but then Splunk hits the second line and lumps it and all the rest of the event into an undefined field so it can't be searched. So what I'd get from the example above is an event that contains:

_time=Timestamp
field1=1
field2=2
field3=3
Message=The...

and the raw event wound contain the entire text from all lines. So this is the behaviour I'm trying to avoid.

Cheers!

Tags (1)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-15-2011 10:18 AM

I would consider using SEDCMD, something like:

SEDCMD-spmsg = s/(?s-m)/(?:[\r\n])+Timestamp\*,(?:[^,]*,){3}\s*\.\.\.([\V]*)\.\.\.(?=\v|$)/\1/g

or

SEDCMD-spmsg = s/(?m-s)/^Timestamp\*,(?:[^,]*,){3}\s*\.\.\.(.*)\.\.\.$/\1/g

might do it.

0 Karma
Reply

neilamoran
Explorer
‎12-19-2011 08:47 AM

Wow - that looks complicated. Sorry to be a painfully ignorant newbie, but could you break down for me what that little lot is actaully doing? Looks like I'll need to modify it slightly to use in the real world (unlike my simplified example) and I'm not clear how it works, so don't know what to change, or how much.

Also, as far as I can understand, SEDCMD s/ should do string replacement - will this handle the string correctly as it is built up over multiple lines?

Please excuse my ignorance - just trying to understand.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...