Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiple lines with the same time

dobarnes
New Member
‎02-24-2012 11:29 AM

I have logs from a custom application being streamed into splunk usinig a unverisal forwarder. The probelem I have there is multiple lines with the same time. See below.

19:12:51.790,16526719,TCP,2,3404,2226
19:12:51.790,66870655,TCP,10,53743,355114
19:12:51.790,199246079,TCP,5,2937,5715
19:12:51.790,281972991,TCP,2,55722,43156
19:12:51.790,282382591,TCP,11,2458,11480

I have extracted the fields of there data using the props.conf and the transforms.com files however when I do a search by what we call Cust_id it only pulls out the information from the first line logged for a time stamp. In the above example it would only find Cust_id = 16526719

How can I adjust my query to find the Cust_id per every line that is indexed in Splunk?

0 Karma
Reply

dobarnes
New Member
‎03-12-2012 07:12 AM

Thanks for the answer. It did work when I applied the line break to the indexer.

0 Karma
Reply

dobarnes
New Member
‎02-27-2012 07:29 AM

I restarted Splunk and ran a real time search to see if the new index data would be line breaked. It did not address the issue.

FYI - I am using a search head and multiple indexer. I have only made the adjustment on the search head. Do I need to do this on the indexers as well?

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎02-27-2012 07:33 AM

YES! The LINE_BREAKER and SHOULD_LINEMERGE settings are effective only at index-time (read indexer) and ignored by the search head :). On the other hand, EXTRACT-cust_id is used by the search head to performs the extraction of the field at search time.

0 Karma
Reply

dobarnes
New Member
‎02-27-2012 07:14 AM

I tried the both suggestions however I am unable to have Splunk break every line

0 Karma
Reply

MarioM
Motivator
‎02-27-2012 07:22 AM

and it will only apply to new data

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎02-27-2012 07:16 AM

dobarnes, did you restart splunk (indexer) after editing line breaking on props.conf?

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎02-26-2012 04:13 PM

It is more efficient, faster and easier for Splunk to break on every line than to line merge for each event. Try the following stanza on props.conf - it will both break the stream of data at every line AND extract a cust_id field per each event:

[my_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
EXTRACT-cust_id = (?i)\.\d{3},(?<cust_id>\d+),

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Reply

MarioM
Motivator
‎02-26-2012 02:55 AM

Do you need to keep it as multiline ? because i would get splunk to treat each line as single event and use delims to extract fields.

props.conf:

[your_data_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
REPORT-delims=commalist

transforms.conf:

[commalist] 
DELIMS = "," 
FIELDS = field1, field2, field3, ...
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...