Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trouble with Field Extraction with multiple values on multiple lines

20065945
Explorer
‎06-30-2015 10:07 PM

For the below data I want to create fields highlighted in data. The problem while extracting is that the data is in multiple lines so it is not considering as one event.

For Example: all this data under INFO should be as one event.
INFO: SOKY 01.05.2015 00:07:40.519
IDENT: GRS.S_FILEMANAGER_LASTFILES
PROCESS: FILEMAN
SOFTKEY: SYS:/resource/sk1024x768dirlastfils.bmx

Similarly for other tags also.

Sample data

Key: 0x01C4 ->Edit 01.05.2015 00:07:38.293
INFO: MAIN ERRCLEARED 01.05.2015 00:07:38.293
N25846 External EMERGENCY STOP
ERR: N25846 External EMERGENCY STOP 01.05.2015 00:07:38.384
INFO: GEO 01.05.2015 00:07:38.384
ERROR SOURCE: GEORUN
Key: 0x01CB ->PGM MGT 01.05.2015 00:07:38.524
Key: 0x0188 ->Softkey 8 01.05.2015 00:07:40.519
INFO: SOKY 01.05.2015 00:07:40.519
IDENT: GRS.S_FILEMANAGER_LASTFILES
PROCESS: FILEMAN
SOFTKEY: SYS:/resource/sk\1024x768\dir\lastfils.bmx
INFO: SYS WINEVENT 01.05.2015 00:07:40.748
FILEMAN.STARTUP.READY
Key: 0x0189 ->Softkey 9 01.05.2015 00:07:44.719
INFO: SOKY 01.05.2015 00:07:44.719
IDENT: GRS.S_BREAK
PROCESS: FILEMAN
SOFTKEY: SYS:/resource/sk\1024x768\allg\command.bmx
OVERLAY: 2
INFO: SOKY 01.05.2015 00:07:48.520
PROCESS: FILEMAN
Key: 0x01A8 ->Enter 01.05.2015 00:07:48.520
Key: 0x01CB ->PGM MGT 01.05.2015 00:07:51.124
INFO: SYS WINEVENT 01.05.2015 00:07:53.305
FILEMAN.STARTUP.READY
INFO: SOKY 01.05.2015 00:07:54.820
PROCESS: FILEMAN
Key: 0x01A1 ->Cursor Down 01.05.2015 00:07:54.820
Key: 0x01A1 ->Cursor Down 01.05.2015 00:07:55.009

Kindly help.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2015 08:24 AM

If your event-breaking is working properly (that is a BIG if), then all that should be necessary is to add this to your props.conf:

[MySourceType]
KV_MODE = multi
0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...