Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Line breaking with custom regex

Simon
Contributor
‎07-09-2013 04:42 AM

Hi All

I've got a very bad csv to index, which is basically a csv with 63 columns and tildes as separators, because field contents may include any characters except tildes... However... Line breaking is very difficult since the only hint for a new event is the 63th occurence of a tilde... I've got a regex to match one single event:

((([^\~]*?)\~){63})

Any idea how I can transform into a LINE_BREAKER regex? Using this regex will put the content in the first csv column into an event without the 62 other csv columns.

Thanks
Simon

0 Karma
Reply

bmacias84
Champion
‎07-09-2013 08:52 AM

If your data is truely a csv and there is a timestamp just set SHOULD_LINEMERGE=false which should break on each new line. Also with an event as wide as yours you may need to increase your TRUNCATE= to accomidate the event length. Posting a scrubed event might help too.

Reply

Simon
Contributor
‎08-05-2013 11:51 PM

Thanks for your answer. Unfortunately it isn't a true csv. It's a kind of csv with {-} as delimiter and the field contents may have multiliners.

In the mean time I got a solution by myself:

SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ((([^{]*?){~}){63})

Which breaks after the 63th occurence of {-} and respects empty values.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...