Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Logfile with multiple newlines splunk only grabs the first line

kashnburn
Engager
‎12-10-2020 10:07 AM

I'm fairly new to splunk so please bare with me. I have a logfile that has multiple lines of data. However when I do my search I get mixed results.

Here is an example logfile. 

Crashed Jobs for Thu Dec 10 12:05:01 EST 2020 in qa environment
Job started @ 20201210120501
CustomerHistoryLoad_fixLoad_FileFix_PART
call_SPBatchDetail_Web.Job_BatchDetailStartWebDeptRequirements
EmployeeMasterPull
get_ControlState_StoreCloseMonitor.Job_GetControlState_StrClsMon
RunSeqBusinessEODLoad
run_CustomerLoadSeq
run_SalesLease_LoadSeq
run_Vendor_CDP_DW_LoadExportSeq
run_Vendor_POSLog_ExportSeq_Adhoc_Run
run_WebApr_LoadSeq
run_WebDeptRequirements_LoadSeq
Seq_HRMS_AD_to_DW
StoreCloseMonitorSeq
Job ended @ 20201210121407

Here is my search - 

index=bli_datastage_crash_jobs_qa sourcetype=bli_datastage_crash_jobs | rex field=_raw "From:(?<Crashed>.*) To:(?<Job>.*)" 

The problem is I get multiple events instead of just one event. I suspect I have breaks (newlines) in this logfile but I can't seem to get all the lines included into a single event. Appears the data is getting indexed as separate events.  Any advice on getting the data indexed as a single event would be greatly appreciated. 

Labels (2)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎12-10-2020 01:22 PM

Why not check props.conf and should_linemerge and line_breaker?

0 Karma
Reply

kashnburn
Engager
‎06-17-2021 06:26 AM

I added a LINE_BREAKER to props.conf and added transforms.conf and it's working now. 

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...