Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are all events in one record and I am unable to extract fields?

godman01
Explorer
‎12-22-2016 01:50 PM

We have CSV files dropping in the Windows folder and the CSV file contains users data but it was not parsing correctly. it was showing all the events in one record which I am not able to extract the fields?
my data looks like:

"CN=xxxx\\\, xxxx\,OU=Users\,OU=Users and Groups\,DC=xxxxxx\,DC=net","xxxx","xxxxx","[ NormalAccount ]"
"CN=xxxxx\\\, xxxxx\,OU=Users\,OU=Users and Groups\,DC=xxxx\,DC=net","xxxxx","xxxxxx","[ NormalAccount ]"
"CN=xxxxx\\\, xxxxx\,OU=Users\,OU=Users and Groups\,DC=xxxxxxx\,DC=net",xxxxxx","xxxxxx","[ NormalAccount ]"

my inputs.conf:

[batch://F:\FTPROOT\Splunk Inputs]
move_policy = sinkhole
sourcetype = idm:ftp:ad
index = test
disabled = 0
crcSalt = 

[batch://F:\FTPROOT\Splunk Inputs\IDM*.csv]
move_policy = sinkhole
sourcetype = idm:ftp:idm
index = test
disabled = 0
crcSalt =

and my props.conf:

[source::F:\FTPROOT\Splunk Inputs*]
CHECK_METHOD = modtime
INDEXED_EXTRACTIONS = CSV
HEADER_FIELD_LINE_NUMBER=3
LINE_BREAKER = (uid=)(CN=)([\r\n]+)
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=csv

it should have different events individually. Any help will be appreciated?

0 Karma
Reply

lguinn2
Legend
‎12-22-2016 02:11 PM

I think the regular expression in your LINE_BREAKER is wrong.

If all your events are single-line (one event per line), then you can simply leave out the LINE_BREAKER; SHOULD_LINEMERGE=false is sufficient.

0 Karma
Reply

godman01
Explorer
‎12-22-2016 02:32 PM

Thanks for the reply but all my events are single line events but it is not showing as one event .All my events are showing as one record ?

0 Karma
Reply

godman01
Explorer
‎12-22-2016 02:49 PM

This data is alredy indexed so I want to make changes for the indexed data

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...