Splunk Search
Highlighted

How to get the stats in multiline for each event?

Contributor

Hello all,

I've been trying to get some stats from JSON data that I've been receiving in Splunk.
See:
alt text

I think I'm not getting the stats because the events are multifield and it is all repeated.
See the search here in case is needed:

sourcetype=api_in_tasks to_team=TEAM-177 "TK-EU-28209292.1.1"   | dedup task consecutive=true | rex field=task "(?<ticket>\w[\w\-]*)" | join type=inner ticket [search sourcetype=api_in_tasks from_team=TEAM-210| rex field=task "(?<ticket>\w[\w\-]*)" | dedup task consecutive=true | rename created_at as created_at_ticket | fields ticket,created_at_ticket ] | eval ticket_created=strftime(created_at_ticket,"%m/%d/%y %H:%M:%S") | eval diff=created_at-created_at_ticket | eval diff_time=strftime(diff,"%m/%d/%y %H:%M:%S") | eval created_task=strftime(created_at,"%m/%d/%y %H:%M:%S")  | table task,ticket,created_task,ticket_created,diff_time, created_at_ticket

Here another photo from the data:
alt text

Now, I've tried to reduce it to one line adding these options (two separate times, not at the same time) in the props.conf.

First try:

LINE_BREAKER = {(.*?)}
SHOULD_LINEMERGE = false

Second try:

LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false

But none of this has worked. Any idea?

Thank you in advance.

0 Karma
Highlighted

Re: How to get the stats in multiline for each event?

SplunkTrust
SplunkTrust

can you give sample data? in text

0 Karma
Highlighted

Re: How to get the stats in multiline for each event?

Contributor
{"owned_by":null,"created_at":"1513607755.69364","priority":"PRI-444","ticket_source":"Email (Customer)","task_state":"Complete","cti":"CTI-EU-00001610","customer":null,"from_team":"TEAM-EU-00000210","ticket_state":"Closed","due_date":null,"to_team":"TEAM-EU-00000177","last_updated":"1515425723.04014","redirection_type":"Delegate","task":"TK-EU-28209292.1.1","impact":"General Request","ticket_type":"Internal","urgency":"Low"}
0 Karma
Highlighted

Re: How to get the stats in multiline for each event?

SplunkTrust
SplunkTrust

Hi marina,

try the following configuration.

BREAK_ONLY_BEFORE = (?=\{")
SHOULD_LINEMERGE = false
Highlighted

Re: How to get the stats in multiline for each event?

Contributor

Do I have to re read everything again? or just restarting splunk?

0 Karma
Highlighted

Re: How to get the stats in multiline for each event?

SplunkTrust
SplunkTrust

Hi marina,

unfortunately you have to re-read everything again.

0 Karma
Highlighted

Re: How to get the stats in multiline for each event?

Contributor

same 😞 don't I need another " character? Or does it undertand this well?

0 Karma
Highlighted

Re: How to get the stats in multiline for each event?

SplunkTrust
SplunkTrust

What I don't get is why it just doesn't work from the start... when I manually add the data over the web-gui splunk automatically notices the format and does the linebreaks in a correct format...

alt text

Can you show me some lines of the file you are trying to index?
And your props.conf configs with the stanza.

0 Karma
Highlighted

Re: How to get the stats in multiline for each event?

Contributor

This data is coming from an API, so I'm using REST API app for getting it.

I can modify a sourcetype but I haven't done any far as setting that the data is coming with jason format.

The props is simple, is the basic + the lines we talked about above.

[angora_api_redirection_in_tasks]
CHARSET = ISO-8859-1
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = created_at
TIME_FORMAT = %s
category = Custom
pulldown_type = 1
LINE_BREAKER = (?=\{")
SHOULD_LINEMERGE = false

Should I change any of these parameters?

Thank you

0 Karma
Highlighted

Re: How to get the stats in multiline for each event?

Ultra Champion

From the screenshot in your question, the event seems to be a single event, right? It is just the field extractions that are duplicated somehow?

Did you write custom field extractions and also left KV_Mode to its default setting (auto)?

0 Karma