Splunk Search

Is there a way to use structured field extraction (PSV in this case) that works with multiline field values?

ljolly
Explorer

Hi There,

I have been trying with no luck today to do a structured field extraction using the "Add Data" function of my test environment:
Splunk Version 6.3.1
RHEL

The data looks something like this:

2016-01-11 08:22:11.048 +10:00|SDLC||someuniquedata|Appname|ver|11|Information| Single line message
2016-01-11 08:22:12.249 +10:00|SDLC||someuniquedata|Appname|ver|11|Warning| multi-line message part 1
 multi-line message part 2
 multi-line message part 3
2016-01-11 08:22:26.227 +10:00|SDLC||someuniquedata|Appname|ver|48|Information| Single line message

But when I configure the parameters to do a PSV field extraction, the multiline message part 2 and 3 lines are created as separate events. At this point, since I have used many combinations of SHOULD_LINEMERGE ( and dependent config options such as BREAK_ONLY_*) and LINE_BREAK to no avail, I am left with the sinking feeling that this is just the way this type of structured data is handled...

Is there something else (perhaps outside of the gui) that I could try?

Regards,
Luke

0 Karma
1 Solution

ljolly
Explorer

I managed to answer my own question, which is nice. 🙂

props.conf

[psv-iis]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
category = Custom
disabled = false
REPORT-extractpsv = extractpsv-iis
pulldown_type = true

transforms.conf

[extractpsv-iis]
DELIMS = "|"
FIELDS = Timestamp , Environment , ClientIP , CorrelationId , ApplicationName , ApplicationVersion , ThreadId , Level , Message

Regards,
Luke

View solution in original post

0 Karma

ljolly
Explorer

I managed to answer my own question, which is nice. 🙂

props.conf

[psv-iis]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
category = Custom
disabled = false
REPORT-extractpsv = extractpsv-iis
pulldown_type = true

transforms.conf

[extractpsv-iis]
DELIMS = "|"
FIELDS = Timestamp , Environment , ClientIP , CorrelationId , ApplicationName , ApplicationVersion , ThreadId , Level , Message

Regards,
Luke

0 Karma

ljolly
Explorer

I managed to answer my own question, which is nice. 🙂

props.conf

[psv-iis]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
category = Custom
disabled = false
REPORT-extractpsv = extractpsv-iis
pulldown_type = true

transforms.conf

[extractpsv-iis]
DELIMS = "|"
FIELDS = Timestamp , Environment , ClientIP , CorrelationId , ApplicationName , ApplicationVersion , ThreadId , Level , Message

Regards,
Luke

0 Karma

DMohn
Motivator

If it works for you, you should convert this comment to an answer and mark it as accepted, so others can see your problem is fixed 😉

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...