Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splitting one event into multiple events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should be a simple question. In fact, I've succeeded in doing this before, but I no longer have that app and I can't recall the solution.
I run a script that outputs something like the following:
Queue Status
----- ------
MTAB208A READY
MTAB310C READY
MTAB318A READY
MTAB318B READY
I want Splunk to alert me when the "READY" status changes to "DOWN" (or something other than "READY").
So I wrote a script that uses sed to remove the first two lines, so the output becomes:
MTAB208A READY
MTAB310C READY
MTAB318A READY
MTAB318B READY
I want Splunk to extract two fields: queue and status. This is easy enough except I want each of those queues to be its own event. Instead, I get one big event containing all four queues.
How do I get each of those queues to be its own event? I know there's an easy way to do this but I'm having a mind block here. (I suppose the other option is to do away with the sed trimming and use multikv, but I think that might over-complicate this.)
I tried using LINE_BREAKER in props.conf but that didn't do anything:
LINE_BREAKER = ^\w+\s+\w+
Update: Figured it out! I needed to use "MUST_BREAK_AFTER". Oh yeah, and bounce Splunk after updating props.conf.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should split the events at index time by specifying something like this in your props.conf:
[your_sourcetype]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current
LINE_BREAKER=([\r\n]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried it after changing /opt/splunkforwarder/etc/apps/Metro_TA_iibcorp/local/props.conf but it fails again to split the EventType.
[metro:iibcorpqmon]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current
LINE_BREAKER=([\r\n]+)
Is the props .conf in the correct place?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@AmitKapila - This question is quite old and it may not garner the type of attention and activity that you seek. I would suggest posting a new question. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should split the events at index time by specifying something like this in your props.conf:
[your_sourcetype]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current
LINE_BREAKER=([\r\n]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aaaah okay. I got it working with: MUST_BREAK_AFTER = ^\w+\s+\w+ Does that seem reasonable too? Thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
