How to event break using Regex. Not working.

hhGA · ‎10-21-2015

Hi,

I'm trying to import some CSV data into Splunk which is all on one line. The events are separated by a space and I am trying to use Regex to separate them, but to no avail. I have tried to do this on Splunk Cloud 6.3, Splunk Enterprise 6.3 and 6.2.5.

This is an example of the data I am trying to import:

1445429543,266.600000000000,4.228747140000 1445429534,266.600000000000,0.070900000000 1445429496,266.360000000000,0.120000000000 1445429479,266.350000000000,0.068756580000 1445429478,266.360000000000,0.051243420000 1445429458,266.360000000000,0.070000000000
1445429452,266.640000000000,0.279821050000

There are 3 comma separated fields per event.

I have used the Regex \s which does not work as well as things such as \d just to see if it is working. Nothing ever gets applied to my data though.

I have tried using the settings BREAK_ONLY_BEFORE, MUST_BREAK_AFTER and LINE_BREAKER.

Would anyone please be able to help?

Thanks.

somesoni2 · ‎10-21-2015

Give this a try (in the Web UI, add this in the Advanced tab)

NO_BINARY_CHECK=true
TIME_PREFIX=^
TIME_FORMAT=%s
MAX_TIMESTAMP_LOOKAHEAD=10

hhGA · ‎10-23-2015

Hi somesoni2,
Thanks for giving it a go but this is not working either. It's not making any changes at all to the data. Am starting to think that my Splunk instance is not even attempting to apply the settings.

richgalloway · ‎10-21-2015

Assuming the first number in each triplet is a Unix-epoch timestamp, have you tried this?

BREAK_ONLY_BEFORE_DATE = true
TIME_FORMAT = %s
INDEXED_EXTRACTIONS = CSV

---
If this reply helps you, Karma would be appreciated.

hhGA · ‎10-21-2015

Hi,

Thanks for your answer. I have tried using these values but it makes no changes at all to my data structure. It's almost as if Splunk is ignoring them altogether.

richgalloway · ‎10-21-2015

Are you restarting Splunk after each change to the props.conf file?

---
If this reply helps you, Karma would be appreciated.

hhGA · ‎10-21-2015

I'm not using the props.conf file as I do not have access to it. I am using the Add Data 'wizard' in the web interface.

richgalloway · ‎10-21-2015

Do you have any control over the format of the data? If so, it would have if you added a header line and put one event (3 fields) per line.
If you can't change how the data is generated, we'll have to consider using transforms, but that can't be done via the GUI.

---
If this reply helps you, Karma would be appreciated.

hhGA · ‎10-23-2015

No, I don't have any control over the data and as I don't have access to trans.conf I can't play about with transforms. Is there any reason why my original method is not working?

richgalloway · ‎10-23-2015

What version of Splunk are you using? I've replicated your lack of results using 6.3 and suspect there may be a bug in that version. If you're using a different version then the problem must lie elsewhere.

---
If this reply helps you, Karma would be appreciated.

hhGA · ‎10-23-2015

I have tried using 6.3 and 6.2.5. I also suspect there must be a bug from the complete lack of change in the data.

How to event break using Regex. Not working.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life