Splunk Enterprise

How to output CSV file that has one log line per event?

afellowgood
Explorer

I changed my props.conf a while ago so that SHOULD_LINEMERGE=false, and since then, I've gotten my desired result—one log line for one event.

However, whenever I output my search to a CSV file, it still contains the events that were indexed prior to me changing the props.conf. These events still have multiple log lines under a single timestamp.

Is there any way to tell Splunk to retroactively break up those indexed events into their own separate events? Or at least output to a CSV that has one event = one line?

Labels (1)
Tags (1)
0 Karma

to4kawa
Ultra Champion

you should use fields and table before outputing CSV.

0 Karma

afellowgood
Explorer

I've made sure to do that:

alt text

0 Karma

to4kawa
Ultra Champion

and | table _raw _time timestamp
How about this?

0 Karma

afellowgood
Explorer

I tried that and I'm still getting (old) events that contain multiple log lines (separated by \n):
alt text

0 Karma

to4kawa
Ultra Champion

It is your _raw .

you should modiy LINE_BREAKER in props.conf

0 Karma

afellowgood
Explorer

Oh, is it getting messed up because \r is in the string "\regular" ?

0 Karma

to4kawa
Ultra Champion
source=...
| eval _raw = replace(_raw,"\\\n","#")
| makemv delim="#" _raw
| stats values(_time) as _time values(timestamp) as timestamp by _raw
| fields _raw _time timestamp
| table _raw _time timestamp

this is workaround.

to4kawa
Ultra Champion

LINE_BREAKER = (\\\n) ?

0 Karma

afellowgood
Explorer

I tried this and I still get the same amount of events, whereas the number of events should increase--does this mean that once events are indexed by Splunk, they can't be separated into smaller events?

This is what my local props.conf looks like:
alt text

0 Karma

to4kawa
Ultra Champion

once events are indexed by Splunk, they can't be separated into smaller events?
yes.

maybe it needs |delete and re-indexing.

afellowgood
Explorer

Ah, that's a shame, I don't have the older logs anymore. Thank you so much for your help though, I really appreciate it. I think I'll just try and write a script to manually separate those events. Thanks again!

0 Karma

to4kawa
Ultra Champion

please provide your query to outputcsv

0 Karma

afellowgood
Explorer

I'm not too sure what you mean--are you saying that I can specify this through the outputcsv command?

0 Karma

to4kawa
Ultra Champion

How are you outputting to CSV without using outputcsv?

You're doing a search, aren't you?

0 Karma

afellowgood
Explorer

Oh, I'm using the default export results to create a CSV, I'm not actually using the outputcsv command in the search field.
alt text

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...