Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splitting one event into multiple events

Branden
Builder
‎12-17-2010 03:28 PM

This should be a simple question. In fact, I've succeeded in doing this before, but I no longer have that app and I can't recall the solution.

I run a script that outputs something like the following:

Queue          Status
-----          ------
MTAB208A       READY
MTAB310C       READY
MTAB318A       READY
MTAB318B       READY

I want Splunk to alert me when the "READY" status changes to "DOWN" (or something other than "READY").

So I wrote a script that uses sed to remove the first two lines, so the output becomes:

MTAB208A       READY
MTAB310C       READY
MTAB318A       READY
MTAB318B       READY

I want Splunk to extract two fields: queue and status. This is easy enough except I want each of those queues to be its own event. Instead, I get one big event containing all four queues.

How do I get each of those queues to be its own event? I know there's an easy way to do this but I'm having a mind block here. (I suppose the other option is to do away with the sed trimming and use multikv, but I think that might over-complicate this.)

I tried using LINE_BREAKER in props.conf but that didn't do anything:

LINE_BREAKER = ^\w+\s+\w+

Update: Figured it out! I needed to use "MUST_BREAK_AFTER". Oh yeah, and bounce Splunk after updating props.conf.

Thanks!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎12-17-2010 04:02 PM

You should split the events at index time by specifying something like this in your props.conf:

[your_sourcetype]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current
LINE_BREAKER=([\r\n]+)

View solution in original post

Reply
Solved! Jump to solution

AmitKapila
New Member
‎05-16-2017 05:08 AM

I tried it after changing /opt/splunkforwarder/etc/apps/Metro_TA_iibcorp/local/props.conf but it fails again to split the EventType.

[metro:iibcorpqmon]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current
LINE_BREAKER=([\r\n]+)

Is the props .conf in the correct place?

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎05-16-2017 08:03 AM

@AmitKapila - This question is quite old and it may not garner the type of attention and activity that you seek. I would suggest posting a new question. Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎12-17-2010 04:02 PM

You should split the events at index time by specifying something like this in your props.conf:

[your_sourcetype]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current
LINE_BREAKER=([\r\n]+)
Reply
Solved! Jump to solution

Branden
Builder
‎12-17-2010 04:09 PM

Aaaah okay. I got it working with: MUST_BREAK_AFTER = ^\w+\s+\w+ Does that seem reasonable too? Thanks!

Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...