Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to use structured field extraction (PSV in this case) that works with multiline field values?

ljolly
Explorer
‎01-12-2016 12:08 AM

Hi There,

I have been trying with no luck today to do a structured field extraction using the "Add Data" function of my test environment:
Splunk Version 6.3.1
RHEL

The data looks something like this:

2016-01-11 08:22:11.048 +10:00|SDLC||someuniquedata|Appname|ver|11|Information| Single line message
2016-01-11 08:22:12.249 +10:00|SDLC||someuniquedata|Appname|ver|11|Warning| multi-line message part 1
 multi-line message part 2
 multi-line message part 3
2016-01-11 08:22:26.227 +10:00|SDLC||someuniquedata|Appname|ver|48|Information| Single line message

But when I configure the parameters to do a PSV field extraction, the multiline message part 2 and 3 lines are created as separate events. At this point, since I have used many combinations of SHOULD_LINEMERGE ( and dependent config options such as BREAK_ONLY_*) and LINE_BREAK to no avail, I am left with the sinking feeling that this is just the way this type of structured data is handled...

Is there something else (perhaps outside of the gui) that I could try?

Regards,
Luke

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ljolly
Explorer
‎01-14-2016 01:15 AM

I managed to answer my own question, which is nice. 🙂

props.conf

[psv-iis]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
category = Custom
disabled = false
REPORT-extractpsv = extractpsv-iis
pulldown_type = true

transforms.conf

[extractpsv-iis]
DELIMS = "|"
FIELDS = Timestamp , Environment , ClientIP , CorrelationId , ApplicationName , ApplicationVersion , ThreadId , Level , Message

Regards,
Luke

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ljolly
Explorer
‎01-14-2016 01:15 AM

I managed to answer my own question, which is nice. 🙂

props.conf

[psv-iis]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
category = Custom
disabled = false
REPORT-extractpsv = extractpsv-iis
pulldown_type = true

transforms.conf

[extractpsv-iis]
DELIMS = "|"
FIELDS = Timestamp , Environment , ClientIP , CorrelationId , ApplicationName , ApplicationVersion , ThreadId , Level , Message

Regards,
Luke

0 Karma
Reply
Solved! Jump to solution

ljolly
Explorer
‎01-12-2016 08:38 PM

I managed to answer my own question, which is nice. 🙂

props.conf

[psv-iis]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
category = Custom
disabled = false
REPORT-extractpsv = extractpsv-iis
pulldown_type = true

transforms.conf

[extractpsv-iis]
DELIMS = "|"
FIELDS = Timestamp , Environment , ClientIP , CorrelationId , ApplicationName , ApplicationVersion , ThreadId , Level , Message

Regards,
Luke

0 Karma
Reply
Solved! Jump to solution

DMohn
Motivator
‎01-14-2016 12:25 AM

If it works for you, you should convert this comment to an answer and mark it as accepted, so others can see your problem is fixed 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top