Re: Merge multiple line to one line with end, star...

nnips · ‎04-12-2018

Hi, I'm have trouble with multiple line in my logs and i have many information dont need in this logs.
So I'm want get some information in this log with start line and end line. Anyone have idea for this ?
Example:

Oracle Database 10g Release 
CPU:
RAM:

Thu Apr 12 12:00:00 2012
LENGTH : '111'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0

=> Results:

Thu Apr 12 12:00:00 2012
LENGTH : '111'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0

=> Somthing dont need:

Oracle Database 10g Release 
CPU:
RAM:

p_gurav · ‎04-12-2018

Hi

Can you try to add HEADER_FIELD_LINE_NUMBER like this in props.conf:

[your_sourcetype]
HEADER_FIELD_LINE_NUMBER = 4

Merge multiple line to one line with end, start line desire?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Merge multiple line to one line with end, start line desire?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem