Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Modifying multi line event before indexing

mmaier_splunk
Splunk Employee
Splunk Employee
‎12-10-2014 04:30 AM

Hello,

i have an application that has an bug in the logging, but i need to workaround it.

log structure:

Dec  10 13:21:09 abc: request:
Session: ******
User-Agent: ********
Content-Length:     ****
Content-Type: *********

positionDec  10 13:22:09 abc: reply:
Session: ********
Date: 2014-12-09T14:33:09Z
Range: *****
Scale: ****
Content-Type: ****
Content-Length: ***

position: ******

this are two events. in the request event it writes at the and in the beginning of the replay message "position:"

i tried already with seed to remove the "position:" - but it is valid in the replay event and it would remove this one as well.

i guess i need to do it via transforms.conf as it needs to be done before we check for the timestamp, otherwise the full line will be used to the event to detect the timestamp.

i tried to add via transforms a line break, but did not work.

[position-fix]
REGEX = (?m)^(.*)position.*
FORMAT = $1\n position1$2
DEST_KEY = _raw

thanks a lot for any advice.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-10-2014 06:45 AM

The following should remove the stray "position"

REGEX = (.*)position(?=[^:])(.*)
FORMAT = $1\n$2
DEST_KEY = _raw
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lrudolph
Path Finder
‎12-10-2014 11:37 AM

Hi richgalloway,

your suggestion doesn't work 😞

props.conf:

[abc_xyzprovider]
BREAK_ONLY_BEFORE = abc:
MAX_TIMESTAMP_LOOKAHEAD = 15
NO_BINARY_CHECK = 1
TIME_FORMAT = %b %d %H:%M:%S
TRANSFORMS-positionfix = position-fix
TZ = UTC
pulldown_type = 1

transforms.conf:

[position-fix]
REGEX = (.)position(?=[^:])(.)
FORMAT = $1\n$2
DEST_KEY = _raw

Still the "position" element (which belongs to the last event) is shown in the next event.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-10-2014 12:22 PM

Your REGEX line is not the same as mine. The asterisks are critical. If you want "position" to remain with the first event, try this regex:

(.*position)(?=[^:])(.*)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lrudolph
Path Finder
‎12-10-2014 11:02 PM

Sorry, copy & paste must have missed something. But also with correct regex the result is:

\nDec  9 14:33:09 abc: reply:

Sideeffect is also that everything that comes after this first line from the event is somehow deleted.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...