Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Logfile with multiple newlines splunk only grabs the first line

kashnburn
Engager
‎12-10-2020 10:07 AM

I'm fairly new to splunk so please bare with me. I have a logfile that has multiple lines of data. However when I do my search I get mixed results.

Here is an example logfile. 

Crashed Jobs for Thu Dec 10 12:05:01 EST 2020 in qa environment
Job started @ 20201210120501
CustomerHistoryLoad_fixLoad_FileFix_PART
call_SPBatchDetail_Web.Job_BatchDetailStartWebDeptRequirements
EmployeeMasterPull
get_ControlState_StoreCloseMonitor.Job_GetControlState_StrClsMon
RunSeqBusinessEODLoad
run_CustomerLoadSeq
run_SalesLease_LoadSeq
run_Vendor_CDP_DW_LoadExportSeq
run_Vendor_POSLog_ExportSeq_Adhoc_Run
run_WebApr_LoadSeq
run_WebDeptRequirements_LoadSeq
Seq_HRMS_AD_to_DW
StoreCloseMonitorSeq
Job ended @ 20201210121407

Here is my search - 

index=bli_datastage_crash_jobs_qa sourcetype=bli_datastage_crash_jobs | rex field=_raw "From:(?<Crashed>.*) To:(?<Job>.*)" 

The problem is I get multiple events instead of just one event. I suspect I have breaks (newlines) in this logfile but I can't seem to get all the lines included into a single event. Appears the data is getting indexed as separate events.  Any advice on getting the data indexed as a single event would be greatly appreciated. 

Labels (2)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎12-10-2020 01:22 PM

Why not check props.conf and should_linemerge and line_breaker?

0 Karma
Reply

kashnburn
Engager
‎06-17-2021 06:26 AM

I added a LINE_BREAKER to props.conf and added transforms.conf and it's working now. 

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...