Splunk Search

Showing multiline _raw data in a table

Hazel
Communicator

Hello,

I am rewriting this - hope it makes more sense. I have config files, which I am passing into splunk as follows.

The file is a list of comments (which I dont want) followed by stuff i do want that starts with the word sample, so i use this, split at sample, then delete anything that starts with a # (the comments)

[queueconfig]
CHECK_METHOD = entire_md5
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^sample
TRANSFORMS-emsThree = commentRemoval

[commentRemoval]
REGEX=^#
DEST_KEY = queue
FORMAT = nullQueue

You end up with an event, e.g

sample
sample1
queue1
topic1

What I want, is to now put this data into a multiline field, but it doesnt work.

I have tried the following

[multiLineTopic] 
REGEX = (?m-s)(.*) 
MV_ADD = true FORMAT = config::$1 

This hangs, never returns

[multiLineTopic] 
REGEX = (?m-s)(.*) 
FORMAT = config::$1 

This just stores the first line of text from the event eg sample

[multiLineTopic] 
REGEX = (?s)(.*) 
MV_ADD = true 
FORMAT = config::$1 

This stores all lines, but in one single long line, no new line characters. eg sample sample1 queue1 ....

I am looking to see a multilined field, like in the raw data.

Hope this makes more sense now. Any ideas?

0 Karma
1 Solution

Johnvey
Contributor

To clarify, there are 2 distinct items here: multi-line data, and a multi-value field.

  • multi-line event: this is a single event that contains multiple lines, which may contain some number of fields, ex: a Java stack trace
  • multi-value field: this is a single field within an event that may contain more than one value, ex: to_address=bob@example.com,joe@example.com,jane@example.com

The current table renderer that ships with Splunk 4.0+ will render multi-value fields on separate lines, but render a multi-line event as a single line. Obviously the raw event renderer will always show multi-line events with line breaks preserved.

If you want to render multi-line events in a table with line breaks preserved, you can add a CSS rule to the desired table (either via an application.css or other custom CSS file). In the meantime, I will file this as an enhancement request.

View solution in original post

Johnvey
Contributor

To clarify, there are 2 distinct items here: multi-line data, and a multi-value field.

  • multi-line event: this is a single event that contains multiple lines, which may contain some number of fields, ex: a Java stack trace
  • multi-value field: this is a single field within an event that may contain more than one value, ex: to_address=bob@example.com,joe@example.com,jane@example.com

The current table renderer that ships with Splunk 4.0+ will render multi-value fields on separate lines, but render a multi-line event as a single line. Obviously the raw event renderer will always show multi-line events with line breaks preserved.

If you want to render multi-line events in a table with line breaks preserved, you can add a CSS rule to the desired table (either via an application.css or other custom CSS file). In the meantime, I will file this as an enhancement request.

Hazel
Communicator

Thankyou, this makes things clearer. It would be great to have this added as an enhancement

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I don't know what your field extractions look like, but you should use a multivalued field for each config line, then:

... | stats list(config) by Application

A multivalue extraction might look in transforms.conf like:

[config-lines]
REGEX = (?m-s)^(?<config>[^\V]*)$
MV_ADD = true
0 Karma

Hazel
Communicator

Hello. Not to worry, I was misunderstanding the answer - as pointed out above now, I can't have a multiline field. However, I am now trying to implement your stats list which was working great on individual searches until I tried to join them, would you have any ideas? - http://answers.splunk.com/questions/1912/using-multiple-stats-list

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

And what about the one I provided? It should do the same as the first one you tried that hangs, but I don't see why it would hang.

0 Karma

Hazel
Communicator

Hello. I have rewritten my question, now that I have tried to implement your transform, I see this is the best way, to get a multi line field - but i can't get it to work. Any ideas?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...