Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Searching a single line at a time

anirbanukil
Explorer
‎12-05-2011 09:15 AM

My Search query:

source="test source" "AggCd" AND  "test2# " AND "TransTypeCd " AND (NOT ("test2# null")) | rex "test2# (?<test_no>\d+),"| where (!isnum(test_no))

Search result (5 lines being returned):

[11/28/11 0:59:57:958 EST] 000027ad SystemOut     O AggCd , RqUID 2011-11-28T00:59:57-05:0033999785, test# 20412042, TransTypeCd PE, SubTransTypeCd , Term CURRENT, Status 00

[11/28/11 0:59:57:973 EST] 000027b4 SystemOut     O AggCd , RqUID 70485b0a-42f8-99f2-efd78929db9f, test2# 6759 !47, TransTypeCd RQ, 

[11/28/11 0:59:57:977 EST] 000027b4 SystemOut     O AggCd , RqUID 7048ab0a-42f8-99f2-efd78929db9f, TransTypeCd RQ, MAILER 15 ms

[11/28/11 0:59:58:006 EST] 000027b0 SystemOut     O Host requesting current state inquiry on 

[11/28/11 0:59:58:017 EST] 000027b4 SystemOut     O AggCd , RqUID 7048546-42f8-99f2-efd78929db9f, TransTypeCd RQ,

Question:

I want to search for one line at a time not a collection of indexed lines.
I don't want to change SHOULD_LINEMERGE to "false" in props.conf (default is true).

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-30-2015 07:40 AM

Your linebreaking is broken and there is no sense talking about using your events as-is: you need to fix your events first. Read this (do NOT skim it) and act accordingly:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents

0 Karma
Reply

anirbanukil
Explorer
‎12-05-2011 09:58 AM

You are partly right.
I am getting multiple events as the Search result when the Search is executed.

I want to search one event (ex: [11/28/11 0:59:57:958 EST] 000027ad SystemOut O AggCd , RqUID 2011-11-28T00:59:57-05:0033999785, test# 20412042, TransTypeCd PE, SubTransTypeCd , Term CURRENT, Status 00) at a time rather than all the 5 lines as shown above.

0 Karma
Reply

Ayn
Legend
‎12-05-2011 09:51 AM

I don't understand, these look like multiple events, not just one event with multiple lines. Is that correct? If so, please clarify what you would like to achieve and how you aren't achieving it now.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...