I have events that look like this:
[abc] logline1 [def] logline 2 [ghi] logline 3
and I would like to split those events at search time into 3 single line events.
Is that possible?
I Know this should be done at Indexer / Heavy Forwarder level using LINE_BREAKER, but that's not an option at this time.
Before posting I tried this:
| rex mode=sed "s/([\r\n]+)/##LF##/g" | makemv _raw delim="##LF##" | mvexpand _raw
but I couldn't make it work. Events are joined in a long string separated by ##LF##, but then those lines don't split back into separate events
Try like this. The mvexpand command doesn't seem to work with fields starting with underscore.
your base search | rex mode=sed "s/([\r\n]+)/##LF##/g" | makemv _raw delim="##LF##" | rename _raw as raw | mvexpand raw | rename raw as _raw
Super! Its almost working: the remaining problem is that lines are being re-grouped in reverse order... Could that be fixed? Thanks!
I'm sorry my comment was incomplete. I meant rows are being re-grouped in reverse order when I pipe the output of your solution to
It normally doesn't happen
Referring to your previous question:
I strongly suggest working now to get these logs indexed properly instead of trying to solve this problem at search time. You will end up being frustrated time and time again if your events are not indexed properly.
I got that, Thanks. We are already working to add correct indexing at forwarder level. In the mean time, however, we need this workaround.