Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple Records - one file

jgauthier
Contributor
‎03-02-2012 01:20 PM

Is it possible for splunk to be able to index a file with this kind of formatting:

host=hostname
sourcetype=source
timestamp=timestamp
field1=unique data
field2=unique data
field3=unique data
field4=unique data
host=hostname
sourcetype=source
timestamp=timestamp
field1=unique data
field2=unique data
field3=unique data
field4=unique data
host=hostname
sourcetype=source
timestamp=timestamp
field1=unique data
field2=unique data
field3=unique data
field4=unique data

Making each "record" a unique record in splunk as well, using the host, sourcetype, and timestamp on each?

Thanks.

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎03-02-2012 03:25 PM

No problem. If you want each line to be processed as an separate event, you can do this in props.conf

[source::<yourfilenamehere>]
SHOULD_LINEMERGE = false

But, if you want Splunk to start a new event each time it sees "host=", do this in props.conf

[source::<yourfilenamehere>]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = host\=

Finally, if you want to override the source, sourcetype and host of the incoming events, based on the fields in the data, you will need to add the following lines to props.conf

TRANSFORMS-t1=hostOverride
TRANSFORMS-t2=sourcetypeOverride

and create a transforms.conf that contains

[hostOverride]
DEST_KEY = MetaData:Host
REGEX = host\=(\S+)
FORMAT = host::$1

[sourcetypeOverride]
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype\=(\S+)
FORMAT = sourcetype::$1

Finally, add the following line to props.conf to tell it to use timestamp= as your timestamp. You have not indicated the format of your timestamp, so I will assume that it is a format that Splunk can process automatically - if not, you may also need to add a line to specify the TIMEFORMAT.

TIME_PREFIX = timestamp\=
Reply
Get Updates on the Splunk Community!

See Splunk Platform & Observability Innovations at Cisco Live EMEA

Hi Splunkers, Learn about what’s next for Splunk Platform at Cisco Live EMEA.  Data silos are a big challenge ...

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...