Trouble with Field Extraction with multiple values...

20065945 · ‎06-30-2015

For the below data I want to create fields highlighted in data. The problem while extracting is that the data is in multiple lines so it is not considering as one event.

For Example: all this data under INFO should be as one event.
INFO: SOKY 01.05.2015 00:07:40.519
IDENT: GRS.S_FILEMANAGER_LASTFILES
PROCESS: FILEMAN
SOFTKEY: SYS:/resource/sk1024x768dirlastfils.bmx

Similarly for other tags also.

Sample data

Key: 0x01C4 ->Edit 01.05.2015 00:07:38.293
INFO: MAIN ERRCLEARED 01.05.2015 00:07:38.293
N25846 External EMERGENCY STOP
ERR: N25846 External EMERGENCY STOP 01.05.2015 00:07:38.384
INFO: GEO 01.05.2015 00:07:38.384
ERROR SOURCE: GEORUN
Key: 0x01CB ->PGM MGT 01.05.2015 00:07:38.524
Key: 0x0188 ->Softkey 8 01.05.2015 00:07:40.519
INFO: SOKY 01.05.2015 00:07:40.519
IDENT: GRS.S_FILEMANAGER_LASTFILES
PROCESS: FILEMAN
SOFTKEY: SYS:/resource/sk\1024x768\dir\lastfils.bmx
INFO: SYS WINEVENT 01.05.2015 00:07:40.748
FILEMAN.STARTUP.READY
Key: 0x0189 ->Softkey 9 01.05.2015 00:07:44.719
INFO: SOKY 01.05.2015 00:07:44.719
IDENT: GRS.S_BREAK
PROCESS: FILEMAN
SOFTKEY: SYS:/resource/sk\1024x768\allg\command.bmx
OVERLAY: 2
INFO: SOKY 01.05.2015 00:07:48.520
PROCESS: FILEMAN
Key: 0x01A8 ->Enter 01.05.2015 00:07:48.520
Key: 0x01CB ->PGM MGT 01.05.2015 00:07:51.124
INFO: SYS WINEVENT 01.05.2015 00:07:53.305
FILEMAN.STARTUP.READY
INFO: SOKY 01.05.2015 00:07:54.820
PROCESS: FILEMAN
Key: 0x01A1 ->Cursor Down 01.05.2015 00:07:54.820
Key: 0x01A1 ->Cursor Down 01.05.2015 00:07:55.009

Kindly help.

woodcock · ‎07-01-2015

If your event-breaking is working properly (that is a BIG if), then all that should be necessary is to add this to your props.conf:

[MySourceType]
KV_MODE = multi

Trouble with Field Extraction with multiple values on multiple lines

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?