Splunk Search
Highlighted

How to split multi-line events at search time?

Explorer

I have events that look like this:

[abc] logline1
[def] logline 2
[ghi] logline 3

and I would like to split those events at search time into 3 single line events.
Is that possible?

Thanks!

P.S.
I Know this should be done at Indexer / Heavy Forwarder level using LINE_BREAKER, but that's not an option at this time.

Highlighted

Re: How to split multi-line events at search time?

SplunkTrust
SplunkTrust
Highlighted

Re: How to split multi-line events at search time?

Explorer

Before posting I tried this:
| rex mode=sed "s/([\r\n]+)/##LF##/g" | makemv _raw delim="##LF##" | mvexpand _raw

but I couldn't make it work. Events are joined in a long string separated by ##LF##, but then those lines don't split back into separate events

0 Karma
Highlighted

Re: How to split multi-line events at search time?

SplunkTrust
SplunkTrust

Try like this. The mvexpand command doesn't seem to work with fields starting with underscore.

your base search | rex mode=sed "s/([\r\n]+)/##LF##/g" | makemv _raw delim="##LF##" | rename _raw as raw | mvexpand raw | rename raw as _raw
Highlighted

Re: How to split multi-line events at search time?

Explorer

Super! Its almost working: the remaining problem is that lines are being re-grouped in reverse order... Could that be fixed? Thanks!

0 Karma
Highlighted

Re: How to split multi-line events at search time?

Explorer

I'm sorry my comment was incomplete. I meant rows are being re-grouped in reverse order when I pipe the output of your solution to transaction ...
It normally doesn't happen

0 Karma
Highlighted

Re: How to split multi-line events at search time?

Explorer

I ended up adding | reverse at the end... go figure why that happens!...
Thanks a lot!

0 Karma
Highlighted

Re: How to split multi-line events at search time?

Champion

Referring to your previous question:

https://answers.splunk.com/answers/618398/why-is-splunk-not-breaking-each-log-line-into-sing.html#an...

I strongly suggest working now to get these logs indexed properly instead of trying to solve this problem at search time. You will end up being frustrated time and time again if your events are not indexed properly.

0 Karma
Highlighted

Re: How to split multi-line events at search time?

Explorer

I got that, Thanks. We are already working to add correct indexing at forwarder level. In the mean time, however, we need this workaround.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.