Splunk Search

Breaking an event with occasionally repeating fields, or use multikv?

tlay
Explorer

We have a very simple space delimited input, but the results occasionally instantiate per event:

 INFO_TYPE 2019-08-27 06:39:09:782 192.168.5.5 1 2 123 123 123 
 INFO_TYPE 2019-08-27 06:39:09:782 192.168.5.5 1 2 123 123 123 123 4 123 12 12
 INFO_TYPE 2019-08-27 06:39:09:782 192.168.5.5 1 2 123 123 123 123 4 123 12 12 124 4 123 12 12

Considering there can be n results (over 200 in the same event), what is the best way to set up the props and transforms to account for this at index time? We can specify the INFO_TYPE as the sourcetype, the timestamp is there and automatic, we have a hostname, and then the data is in groupings of 5. The data is of the same class, they represent statistics related to the first number, but are essentially the same data. We intend to associate the results with both the first number and also with each other in general.

 INFO_TYPE 2019-08-27 06:39:09:782 192.168.5.5 (1 2 123 123 123) (123 4 123 12 12) (124 4 123 12 12)

I would ideally like to break after the first 5 data fields and repeat the header info to make each a unique event. I think that multikv is more of a searchtime thing and I think this data will be easier for us to digest if we get it right at index time.

Regards,
-Tony

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!