Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split multi-line events at search time?

aa123s
Explorer
‎02-14-2018 09:26 AM

I have events that look like this:

[abc] logline1
[def] logline 2
[ghi] logline 3

and I would like to split those events at search time into 3 single line events.
Is that possible?

Thanks!

P.S.
I Know this should be done at Indexer / Heavy Forwarder level using LINE_BREAKER, but that's not an option at this time.

Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎02-14-2018 09:49 AM

hello there,

maybe try the mvexpand command
check i tout:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Mvexpand

View solution in original post

Reply
Solved! Jump to solution

msquicc
Path Finder
‎05-25-2022 08:28 AM

here's what I came up with.  seems to work pretty well without modifying the data:

 

| makeresults | eval _raw = "[abc] logline1
[def] logline 2
[ghi] logline 3"


| eval raw=_raw
| makemv tokenizer="(.*(\r\n|\r|\n|$))" raw
| mvexpand raw
| rename raw as _raw
0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-14-2018 11:36 AM

Referring to your previous question:

https://answers.splunk.com/answers/618398/why-is-splunk-not-breaking-each-log-line-into-sing.html#an...

I strongly suggest working now to get these logs indexed properly instead of trying to solve this problem at search time. You will end up being frustrated time and time again if your events are not indexed properly.

0 Karma
Reply
Solved! Jump to solution

aa123s
Explorer
‎02-14-2018 11:54 AM

I got that, Thanks. We are already working to add correct indexing at forwarder level. In the mean time, however, we need this workaround.

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎02-14-2018 09:49 AM

hello there,

maybe try the mvexpand command
check i tout:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Mvexpand

Reply
Solved! Jump to solution

aa123s
Explorer
‎02-14-2018 11:14 AM

Before posting I tried this:
| rex mode=sed "s/([\r\n]+)/##LF##/g" | makemv _raw delim="##LF##" | mvexpand _raw

but I couldn't make it work. Events are joined in a long string separated by ##LF##, but then those lines don't split back into separate events

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-14-2018 11:20 AM

Try like this. The mvexpand command doesn't seem to work with fields starting with underscore.

your base search | rex mode=sed "s/([\r\n]+)/##LF##/g" | makemv _raw delim="##LF##" | rename _raw as raw | mvexpand raw | rename raw as _raw
Reply
Solved! Jump to solution

aa123s
Explorer
‎02-14-2018 11:49 AM

Super! Its almost working: the remaining problem is that lines are being re-grouped in reverse order... Could that be fixed? Thanks!

0 Karma
Reply
Solved! Jump to solution

aa123s
Explorer
‎02-14-2018 11:58 AM

I'm sorry my comment was incomplete. I meant rows are being re-grouped in reverse order when I pipe the output of your solution to transaction ...
It normally doesn't happen

0 Karma
Reply
Solved! Jump to solution

aa123s
Explorer
‎02-14-2018 12:05 PM

I ended up adding | reverse at the end... go figure why that happens!...
Thanks a lot!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...