actual want to splink into miultiple lines.

@ITWhisperer 

currently csv raw data refelcting in splunk as mentioed below: If you notice event at 2:48:32.000 AM there are multiple csv lines, which is causing confusion.  I am looking for splunk out put as mentioned in 2:49:30.000 AM and 2:50:30.000 AM.

Hope this helps.

8/5/24

2:48:32.000 AM
"filename_Time15151515.html","http://testdata1.html"
"filename_Time15151515.html","http://testdata2.gif"
"filename_Time15151515.html",""http://testdata3.doc"
"filename_Time15151515.html",""http://testdata4.xls"
"filename_Time15151515.html",""http://testdata5.aspx"

2:49:30.000 AM
"filename_Time15151515.html",""http://testtest.aspx"

2:50:30.000 AM
"filename_Time46657555.html",""http://tessttestsest.aspx"

Assuming the filenames are in a field called filenames, you could try this

| eval filenames=split(filenames,"
")
| mvexpand filenames
| rex field=filenames "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""

@ITWhisperer ,

As you are suggesting to use;

index=indexname host=server source="/SEM/Emblinksautomation/UploadEmblinks/Uploadlinks.csv"
| rex "^\"(?<filename>[^\"]*)\"\,\"(?<url>[^\"]*)\""
| eval filename=split(filename,"")
| mvexpand filename
| rex field=filename "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""

It depends on what you events look like i.e. what the fields are called and what is in them. You should give more accurate information as I don't have access to your data and only know what you have shared so far.

Okay let me show the exact requirment. Now if you look at the event below. Below data is coming from CSV data. Now 1st event  has muliple csv lines, which is creating confusion when counting the data. These multile events are counted has one event which is not the case. But if you look at second even which has one row with filename and link. I need to seperate 1st event (which has multple lines) into spereate events and need to use table command to list the data in the dashboard.  

When I am runing the regex it shows on 24000 records. But in CSV the files line counts are more than 200000 count. Which is not matching. Not sure why splunk is reading mulitple rows into 1 event.

Hope this helps.

First, a table "row" in CSV is not defined by linefeed in the document.  If some of your ingested CSV events do not contain CSV header, you need to focus on fixing the ingestion linebreaker problem.  No amount of regex can save broken ingestion and corrupt raw events.

OK it looks like all your data is in _raw?

| eval filenames=split(_raw,"
")
| mvexpand filenames
| rex field=filenames "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""

This is still not working. Data count is not matching. Can you confirm the complete query again:

index=index host=server source="/UploadEmblinks/Uploadlinks.csv"
| rex "^\"(?<filenames>[^\"]*)\"\,\"(?<url>[^\"]*)\""
| eval filenames=split(_raw,"")
| mvexpand filenames
| rex field=filenames "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""

Paste your search into a code block (like I have with mine) so it preserves formatting.

index=index host=host  source="/Emblinksautomation/UploadEmblinks/Uploadlinks.csv" 
| rex "^\"(?<filenames>[^\"]*)\"\,\"(?<url>[^\"]*)\""
| eval filenames=split(_raw,"")
| mvexpand filenames
| rex field=filenames "\"(?<file>[^\"]+)\",\"(?<url>[^\"]+)\""

You are missing the new line in the split command as shown in my suggestion - try using the command exactly as I suggested