Splunk Search
Highlighted

need line breaking for the following data generated as CSV

Communicator

Good day All, My skill in regex is very limited. Can anyone help me with the props.conf for the following data? ITs being generated by a small application called SpeedFan. Its calculating the temperature of my machines and writing it to a CSV. my data looks like below. I can work on real time as the time requirement as well because the csv is being generated on real time. I can also do field extractions later during search phase as well which is not a problem. Only thing i cant get splunk to do is split these lines into individual events.

Seconds HD0 Temp1   GPU GPU Core 0  Core 1
61581   36.0    42.0    0.0 0.0 26.0    27.0
61584   36.0    42.0    0.0 0.0 25.0    25.0
61587   36.0    42.0    0.0 0.0 27.0    30.0
61590   36.0    42.0    0.0 0.0 24.0    25.0
61593   36.0    49.0    0.0 0.0 33.0    40.0
61596   36.0    41.0    0.0 0.0 23.0    25.0
61600   36.0    55.0    0.0 0.0 26.0    27.0
61603   36.0    41.0    0.0 0.0 25.0    25.0
61606   36.0    43.0    0.0 0.0 25.0    27.0
61609   36.0    43.0    0.0 0.0 26.0    26.0
61612   36.0    42.0    0.0 0.0 23.0    25.0
61615   36.0    41.0    0.0 0.0 23.0    24.0
61618   36.0    41.0    0.0 0.0 25.0    26.0
61621   36.0    46.0    0.0 0.0 32.0    49.0
0 Karma
Highlighted

Re: need line breaking for the following data generated as CSV

SplunkTrust
SplunkTrust

Your example data is not CSV. It may be TSV (tab separated values). What is hurting you most, however, is the entire line being enclosed in quotes. Try these settings. You may want to experiment with settings in the Add Data wizard before committing them to your props.conf file. The quotation marks in the LINE_BREAKER attribute represent characters in your data - they don't enclose the line breaker itself.

SHOULD_LINEMERGE = false
LINE_BREAKER = ("[\r\n]+")
TRUNCATE = 200
DATETIME_CONFIG = CURRENT
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: need line breaking for the following data generated as CSV

Communicator

I am clueless how this happened. Only when reading your comment i went back to check the data file again. There is no " there on the file. I just copy pasted the lines from the file on to the website without any form of editing.

0 Karma
Highlighted

Re: need line breaking for the following data generated as CSV

Influencer

A simple \n\" OR \n\W should work?

LINE_BREAKER=\n\W
0 Karma
Highlighted

Re: need line breaking for the following data generated as CSV

Esteemed Legend

LINE_BREAKER must have capture group.

0 Karma
Highlighted

Re: need line breaking for the following data generated as CSV

Esteemed Legend
0 Karma
Highlighted

Re: need line breaking for the following data generated as CSV

Communicator

Your answer was somewhat on point. It made me read about what excatly is Indexed extraction. At the end all i had to do is add the following line.
INDEXED_EXTRACTIONS =tsv

Thanks

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.