Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Seperate One Event into Multiple Events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need some help breaking an event out into multiple events.
For example the following event:
7368:20130826:133019.286 status
7368:20130826:133019.389 status
7368:20130826:133019.414 status
7368:20130826:133019.433 status
The format is pid:date/timestamp space status
I have tried adding the following things to the indexer:
props.conf:
[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\d+:%Y%m%d:%H%M%S.%3N\s)([\r\n])
and
MUST_BREAK_AFTER = (\d+:%Y%m%d:%H%M%S.%3N\s)|([\r\n])
Neither of the above seems to have any effect either good or bad on the data even after restarting the service.
What I want is everytime splunk encounters the above format of pid:date/timestamp it creates a new event.
Splunk does seem to be matching the date/timestamps up correctly it just seems to lump all the events under the one event.
Since I'm new to both splunk and regex expressions I'm not sure the best way to go about this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that all events in the log file follow this format you should configure like so;
props.conf
[your_sourcetype_here]
SHOULD_LINEMERGE = false
TIME_PREFIX = :
TIME_FORMAT = %Y%m%d:%H%M%S.%3N
SHOULD_LINEMERGE = false implies that all events are single-line, and you should not need to specify any LINE_BREAKER.
MUST_NOT_BREAK_AFTER and similar BREAK_ONLY_BEFORE... etc are only relevant when SHOULD_LINEMERGE = true
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that all events in the log file follow this format you should configure like so;
props.conf
[your_sourcetype_here]
SHOULD_LINEMERGE = false
TIME_PREFIX = :
TIME_FORMAT = %Y%m%d:%H%M%S.%3N
SHOULD_LINEMERGE = false implies that all events are single-line, and you should not need to specify any LINE_BREAKER.
MUST_NOT_BREAK_AFTER and similar BREAK_ONLY_BEFORE... etc are only relevant when SHOULD_LINEMERGE = true
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked perfectly, thanks Kristian.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can this still be used if not all entries in the log file follow that format?
There are some entries that do not have a clear date/time stamp. I am not as concerned that those get separated out properly as I am that every time splunk hits the above date/time stamp it creates a new event.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
