Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiple Records - one file

jgauthier
Contributor
‎03-02-2012 01:20 PM

Is it possible for splunk to be able to index a file with this kind of formatting:

host=hostname
sourcetype=source
timestamp=timestamp
field1=unique data
field2=unique data
field3=unique data
field4=unique data
host=hostname
sourcetype=source
timestamp=timestamp
field1=unique data
field2=unique data
field3=unique data
field4=unique data
host=hostname
sourcetype=source
timestamp=timestamp
field1=unique data
field2=unique data
field3=unique data
field4=unique data

Making each "record" a unique record in splunk as well, using the host, sourcetype, and timestamp on each?

Thanks.

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎03-02-2012 03:25 PM

No problem. If you want each line to be processed as an separate event, you can do this in props.conf

[source::<yourfilenamehere>]
SHOULD_LINEMERGE = false

But, if you want Splunk to start a new event each time it sees "host=", do this in props.conf

[source::<yourfilenamehere>]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = host\=

Finally, if you want to override the source, sourcetype and host of the incoming events, based on the fields in the data, you will need to add the following lines to props.conf

TRANSFORMS-t1=hostOverride
TRANSFORMS-t2=sourcetypeOverride

and create a transforms.conf that contains

[hostOverride]
DEST_KEY = MetaData:Host
REGEX = host\=(\S+)
FORMAT = host::$1

[sourcetypeOverride]
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype\=(\S+)
FORMAT = sourcetype::$1

Finally, add the following line to props.conf to tell it to use timestamp= as your timestamp. You have not indicated the format of your timestamp, so I will assume that it is a format that Splunk can process automatically - if not, you may also need to add a line to specify the TIMEFORMAT.

TIME_PREFIX = timestamp\=
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...