- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: need line breaking for the following data gene...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good day All, My skill in regex is very limited. Can anyone help me with the props.conf for the following data? ITs being generated by a small application called SpeedFan. Its calculating the temperature of my machines and writing it to a CSV. my data looks like below. I can work on real time as the time requirement as well because the csv is being generated on real time. I can also do field extractions later during search phase as well which is not a problem. Only thing i cant get splunk to do is split these lines into individual events.
Seconds HD0 Temp1 GPU GPU Core 0 Core 1
61581 36.0 42.0 0.0 0.0 26.0 27.0
61584 36.0 42.0 0.0 0.0 25.0 25.0
61587 36.0 42.0 0.0 0.0 27.0 30.0
61590 36.0 42.0 0.0 0.0 24.0 25.0
61593 36.0 49.0 0.0 0.0 33.0 40.0
61596 36.0 41.0 0.0 0.0 23.0 25.0
61600 36.0 55.0 0.0 0.0 26.0 27.0
61603 36.0 41.0 0.0 0.0 25.0 25.0
61606 36.0 43.0 0.0 0.0 25.0 27.0
61609 36.0 43.0 0.0 0.0 26.0 26.0
61612 36.0 42.0 0.0 0.0 23.0 25.0
61615 36.0 41.0 0.0 0.0 23.0 24.0
61618 36.0 41.0 0.0 0.0 25.0 26.0
61621 36.0 46.0 0.0 0.0 32.0 49.0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use INDEXED_EXTRACTIONS as documented here:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use INDEXED_EXTRACTIONS as documented here:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your answer was somewhat on point. It made me read about what excatly is Indexed extraction. At the end all i had to do is add the following line.
INDEXED_EXTRACTIONS =tsv
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A simple \n\" OR \n\W should work?
LINE_BREAKER=\n\W
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LINE_BREAKER must have capture group.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your example data is not CSV. It may be TSV (tab separated values). What is hurting you most, however, is the entire line being enclosed in quotes. Try these settings. You may want to experiment with settings in the Add Data wizard before committing them to your props.conf file. The quotation marks in the LINE_BREAKER attribute represent characters in your data - they don't enclose the line breaker itself.
SHOULD_LINEMERGE = false
LINE_BREAKER = ("[\r\n]+")
TRUNCATE = 200
DATETIME_CONFIG = CURRENT
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am clueless how this happened. Only when reading your comment i went back to check the data file again. There is no " there on the file. I just copy pasted the lines from the file on to the website without any form of editing.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
