Splunk Search

is a multi-line value possible for dedicated key-value pairs of an event?

Explorer

dear splunk communitiy,

we create events of an own format and everything principally works well:

for example, an event looks like

SF_SPLUNK_EVENT^eventId=EVT_1019^alertLevel=2^ ... ^dateTime=Jul 02 2018 11:49:49^title=SPLUNK_SHER_DATA ---^standard=Sherlock-z/OS^msg=SHKI6209 RESOURCE ALERT CONCERNING 006 <-> "RES...

as you see it's in principal a single-line event. means 1 record/line = 1 event in splunk.

specialty:
one field/key in our event actually is a multi-line field, namely the msg= field.
means the value of key "msg=" includes a multi-line message, and we
have converted the original/actual format for splunk into a single-line text
by separating the lines via a "<->" separator (that we can easily change if it
helps to accomplish our mission).

OUR KIND QUESTION: is there a way to tell splunk that the msg= field
is a multi-line field, and it should be displayed as such by honoring the
given line separator?

OR would it be an alternative that we include each single line via an
own msg=... key value pair?

thanks a lot for your feedback

best regards
stephen

0 Karma

Motivator

If you need the event to be multi-line in Splunk, I would recommend to leave it multi-line while forwarding it.

What was the original purpose of converting it to a single-line event? Line-/event-breakting issues? In that case I'd suggest to review your props.sonf setting for the particular sourcetype, so the events will be broken correctly even if they come in as multiline.

You cold try the following settings:

[your_sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(SF_SPLUNK_EVENT)

This should break the incoming events at the string "SF_SPLUNK_EVENT" - leaving other linebreaks as they are. So there will be no need to further convert a field from single to multi anymore.

0 Karma