Hello,
I am rewriting this - hope it makes more sense. I have config files, which I am passing into splunk as follows.
The file is a list of comments (which I dont want) followed by stuff i do want that starts with the word sample, so i use this, split at sample, then delete anything that starts with a # (the comments)
[queueconfig] CHECK_METHOD = entire_md5 SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = ^sample TRANSFORMS-emsThree = commentRemoval [commentRemoval] REGEX=^# DEST_KEY = queue FORMAT = nullQueue
You end up with an event, e.g
sample sample1 queue1 topic1
What I want, is to now put this data into a multiline field, but it doesnt work.
I have tried the following
[multiLineTopic] REGEX = (?m-s)(.*) MV_ADD = true FORMAT = config::$1
This hangs, never returns
[multiLineTopic] REGEX = (?m-s)(.*) FORMAT = config::$1
This just stores the first line of text from the event eg sample
[multiLineTopic] REGEX = (?s)(.*) MV_ADD = true FORMAT = config::$1
This stores all lines, but in one single long line, no new line characters. eg sample sample1 queue1 ....
I am looking to see a multilined field, like in the raw data.
Hope this makes more sense now. Any ideas?
To clarify, there are 2 distinct items here: multi-line data, and a multi-value field.
to_address=bob@example.com,joe@example.com,jane@example.com
The current table renderer that ships with Splunk 4.0+ will render multi-value fields on separate lines, but render a multi-line event as a single line. Obviously the raw event renderer will always show multi-line events with line breaks preserved.
If you want to render multi-line events in a table with line breaks preserved, you can add a CSS rule to the desired table (either via an application.css
or other custom CSS file). In the meantime, I will file this as an enhancement request.
To clarify, there are 2 distinct items here: multi-line data, and a multi-value field.
to_address=bob@example.com,joe@example.com,jane@example.com
The current table renderer that ships with Splunk 4.0+ will render multi-value fields on separate lines, but render a multi-line event as a single line. Obviously the raw event renderer will always show multi-line events with line breaks preserved.
If you want to render multi-line events in a table with line breaks preserved, you can add a CSS rule to the desired table (either via an application.css
or other custom CSS file). In the meantime, I will file this as an enhancement request.
Thankyou, this makes things clearer. It would be great to have this added as an enhancement
I don't know what your field extractions look like, but you should use a multivalued field for each config line, then:
... | stats list(config) by Application
A multivalue extraction might look in transforms.conf like:
[config-lines]
REGEX = (?m-s)^(?<config>[^\V]*)$
MV_ADD = true
Hello. Not to worry, I was misunderstanding the answer - as pointed out above now, I can't have a multiline field. However, I am now trying to implement your stats list which was working great on individual searches until I tried to join them, would you have any ideas? - http://answers.splunk.com/questions/1912/using-multiple-stats-list
And what about the one I provided? It should do the same as the first one you tried that hangs, but I don't see why it would hang.
Hello. I have rewritten my question, now that I have tried to implement your transform, I see this is the best way, to get a multi line field - but i can't get it to work. Any ideas?