Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trouble with Field Extraction with multiple values on multiple lines

20065945
Explorer
‎06-30-2015 10:07 PM

For the below data I want to create fields highlighted in data. The problem while extracting is that the data is in multiple lines so it is not considering as one event.

For Example: all this data under INFO should be as one event.
INFO: SOKY 01.05.2015 00:07:40.519
IDENT: GRS.S_FILEMANAGER_LASTFILES
PROCESS: FILEMAN
SOFTKEY: SYS:/resource/sk1024x768dirlastfils.bmx

Similarly for other tags also.

Sample data

Key: 0x01C4 ->Edit 01.05.2015 00:07:38.293
INFO: MAIN ERRCLEARED 01.05.2015 00:07:38.293
N25846 External EMERGENCY STOP
ERR: N25846 External EMERGENCY STOP 01.05.2015 00:07:38.384
INFO: GEO 01.05.2015 00:07:38.384
ERROR SOURCE: GEORUN
Key: 0x01CB ->PGM MGT 01.05.2015 00:07:38.524
Key: 0x0188 ->Softkey 8 01.05.2015 00:07:40.519
INFO: SOKY 01.05.2015 00:07:40.519
IDENT: GRS.S_FILEMANAGER_LASTFILES
PROCESS: FILEMAN
SOFTKEY: SYS:/resource/sk\1024x768\dir\lastfils.bmx
INFO: SYS WINEVENT 01.05.2015 00:07:40.748
FILEMAN.STARTUP.READY
Key: 0x0189 ->Softkey 9 01.05.2015 00:07:44.719
INFO: SOKY 01.05.2015 00:07:44.719
IDENT: GRS.S_BREAK
PROCESS: FILEMAN
SOFTKEY: SYS:/resource/sk\1024x768\allg\command.bmx
OVERLAY: 2
INFO: SOKY 01.05.2015 00:07:48.520
PROCESS: FILEMAN
Key: 0x01A8 ->Enter 01.05.2015 00:07:48.520
Key: 0x01CB ->PGM MGT 01.05.2015 00:07:51.124
INFO: SYS WINEVENT 01.05.2015 00:07:53.305
FILEMAN.STARTUP.READY
INFO: SOKY 01.05.2015 00:07:54.820
PROCESS: FILEMAN
Key: 0x01A1 ->Cursor Down 01.05.2015 00:07:54.820
Key: 0x01A1 ->Cursor Down 01.05.2015 00:07:55.009

Kindly help.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2015 08:24 AM

If your event-breaking is working properly (that is a BIG if), then all that should be necessary is to add this to your props.conf:

[MySourceType]
KV_MODE = multi
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...