Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: extract multi lines fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
extract multi lines fields
We are logging the following application network statistics. I want to be able to index the data into splunk so we can generate reports on it.
The First line consists of the following fields:
timestamp, site name, remote server name , local server name
Other lines of the same record consists of the following fields:
statistic name : message type : origin Node : statistic Value
This is the actual log:
1386704158913 SITE-A,remoteServer1,localhost
receivedMessages:AAA:NODE1:10
receivedMessages:BBB:NODE1:10
sentMessages:CCC:NODE2:10
discMessages:AAA:NODE1:1
discMessages:BBB:NODE2:1
1386704158913 SITE-A,remoteServer2,localhost2
receivedMessages:FFF:NODE1:10
receivedMessages:GGG:NODE1:10
sentMessages:HHH:NODE2:10
discMessages:FFF:NODE1:1
discMessages:III:NODE2:1
Is there a way to extract all the fields above from that log format?
Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use Regext to extract the time, then MVEXPAND then you will be able to have the correlation. Then make the extractions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can easily do that by adjusting the line breaking in props.conf
Have a play with regular expressions and the options under "Attributes that are available only when SHOULD_LINEMERGE is set to true" in
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Indexmulti-lineevents
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, you should not break them into single-line events, for the exact reasons that you mention. My question was if you had succeeded in creating the (multi-line) events correctly in splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i break the log/lines into individual events, wont i loos the correlation between the first line (which consists of the event time stamp and other shared fields) and the other sub lines?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any problems with breaking the log into indvidual events? Or is it only regarding the field extraction?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
