Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Custom multi-line parsing tip

clyde772
Communicator
‎05-03-2010 09:40 AM

I want to chop multiline events like below. I had splunk to automatically process the data, but it didn't quite work where the event started with "Begin_Event".
How can I define custom event separation rule so that the each evens starts after "Begin_Event" tag?

(Begin_Event)

environmentFailureEvent - EAS - KG-079, Cab 1, Pos 1, active ACG, EAS 0 - May 3, 2010 00:02:55. [247] Rectifier Module Fail - Clear
(EndEvent)

(BeginEvent)

processingFailureEvent - IHLR_ALARM_APP - KTIHLR1_B, IHLR_ALARM_APP 1 - May 3, 2010 00:02:49. [17260] Subscriber Not In iDEN HLR - Minor. RC:77 imsi=450079680700513

(EndEvent)

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-03-2010 06:02 PM

Just set:

SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ^\(Begin_Event\)

for your sourcetype or source in props.conf. Alternatively you could use:

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\(Begin_Event\))

Variations of the above can remove the (Begin_Event) line as well.

Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
li.common.scroll-to.top