Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Line break or merge?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
How would I go about merging multiple values on multiple lines so all values are captured? Currenlty, I am only seeing values from the first line. Data below.
2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="135" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="svchost" PID="860"
2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="443" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="System" PID="4"
2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="445" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="System" PID="4"
2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="3389" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="svchost" PID="2480"
2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="4445" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="enstart64" PID="1760"
2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="5985" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="System" PID="4"
2018-01-23 13:48:42 Protocol="TCP" LocalAddress="0.0.0.0" LocalPort="8089" RemoteAddress="0.0.0.0" RemotePort="0" State="LISTENING" ProcessName="splunkd" PID="10180"
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This has been resolved. I was using the incorrect sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also answered here: link text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do all these lines part of one Splunk event? OR they appear (each line with timestamp) as separate event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Believe so. Each line begins with a timestamp and there are several values for the fields shown that appear on each line. This is a dump of the netstat -ano command on a Windows server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use props.conf to prevent line breaking but you will need a unique identifier at the end or beginning of your event. Then you can use RegEx to locate that identifier to group everything.
https://docs.splunk.com/Documentation/Splunk/7.0.1/Data/Configureeventlinebreaking
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
