Imperva to Splunk - Unable to properly parse multiline events. Rawquery fields are appended with different timestamps for each newline.
EX:
Event 1
Jul 11 09:18:18 abc.xyz.com CEF: 0|Imperva Inc.|SecureSphere|10.5.0.13_0|XYZ|XYZ.DAM|Informative|dest_ip=qq.tyy.214.28 dest_port=0000 dbuser=xyz sou_ip=00.000.000.00 source=000 proto=TCP createtime=09 July 2000 16:18:10, cat=XYZ Configuration Changes servergroup=XY MSServer servicename =YZ QLServer applicationname=XYZ App event_id=00000 query=Query usergroup=Default autheticated=Yes applicationuser= application= osuser= hostname= dbname=xyzmanager schemaname= bindvariable= errorvalue= responsesize=0 responsetime=0 affectedrows=0 parsequery=if object_id(?) is not ? drop table #entitytransaction create table #entitytransaction (transactionid bigint) rawdata=#015
Event 2
Jul 11 09:18:18 abc.xyz.com CREATE TABLE #EntityTrans (TransId bigint)#015
Ideally they are a single event, but Splunk displays them as two different events
... View more