Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Seperate One Event into Multiple Events

sir_reel
Explorer
‎08-26-2013 12:37 PM

Need some help breaking an event out into multiple events.

For example the following event:

 7368:20130826:133019.286 status
 7368:20130826:133019.389 status
 7368:20130826:133019.414 status
 7368:20130826:133019.433 status

The format is pid:date/timestamp space status

I have tried adding the following things to the indexer:

props.conf:

[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\d+:%Y%m%d:%H%M%S.%3N\s)([\r\n])

and

MUST_BREAK_AFTER = (\d+:%Y%m%d:%H%M%S.%3N\s)|([\r\n])

Neither of the above seems to have any effect either good or bad on the data even after restarting the service.

What I want is everytime splunk encounters the above format of pid:date/timestamp it creates a new event.

Splunk does seem to be matching the date/timestamps up correctly it just seems to lump all the events under the one event.

Since I'm new to both splunk and regex expressions I'm not sure the best way to go about this.

Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-26-2013 12:54 PM

Assuming that all events in the log file follow this format you should configure like so;

props.conf

[your_sourcetype_here]
SHOULD_LINEMERGE = false
TIME_PREFIX = :
TIME_FORMAT = %Y%m%d:%H%M%S.%3N

SHOULD_LINEMERGE = false implies that all events are single-line, and you should not need to specify any LINE_BREAKER.

MUST_NOT_BREAK_AFTER and similar BREAK_ONLY_BEFORE... etc are only relevant when SHOULD_LINEMERGE = true

Hope this helps,

K

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-26-2013 12:54 PM

Assuming that all events in the log file follow this format you should configure like so;

props.conf

[your_sourcetype_here]
SHOULD_LINEMERGE = false
TIME_PREFIX = :
TIME_FORMAT = %Y%m%d:%H%M%S.%3N

SHOULD_LINEMERGE = false implies that all events are single-line, and you should not need to specify any LINE_BREAKER.

MUST_NOT_BREAK_AFTER and similar BREAK_ONLY_BEFORE... etc are only relevant when SHOULD_LINEMERGE = true

Hope this helps,

K

Reply
Solved! Jump to solution

sir_reel
Explorer
‎08-29-2013 07:49 AM

This worked perfectly, thanks Kristian.

0 Karma
Reply
Solved! Jump to solution

sir_reel
Explorer
‎08-26-2013 01:33 PM

Can this still be used if not all entries in the log file follow that format?

There are some entries that do not have a clear date/time stamp. I am not as concerned that those get separated out properly as I am that every time splunk hits the above date/time stamp it creates a new event.

0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...