Hi,
I have two problems with a log line.
1)
I have a log line that occasionally is inserted. It is a schedule, and i wish to extract the data from it. The entry has values that are eventTitle=
However, Splunk is only pulling the first occurrence from the log line and ignoring the rest.
so i get; eventTitle=BooRadley
in my fields, instead of
eventTitle=BooRadley
eventTitle=REGGAE-2
eventTitle=CHRISTIAN MISSION
I have tried using regex and | kv pairdelim="=", kvdelim=","
I am unsure if a line break would work as they are referenced to SArts - This is a field extracted via regex and changes.
2)
The log line is about 9999 characters long with spaces, and not all the log line is ingested - I think i need to create a limits.conf file?
Below is an abridged extract of the log line
20231117154211 [18080-exec-9] INFO EventConversionService () - SArts: VUpdate(system=GRP1-VIPE, channelCode=UH, type=NextEvents, events=[Event(onAir=true, eventNumber=725538339, utcStartDateTime=2023-11-17T15:42:10.160Z, duration=00:00:05.000, eventTitle=BooRadley, contentType=Prog ), Event(onAir=false, eventNumber=725538313, utcStartDateTime=2023-11-17T15:42:15.160Z, duration=00:00:02.000, eventTitle= REGGAE-2, contentType=Bumper), Event(onAir=false, eventNumber=725538320, utcStartDateTime=2023-11-17T15:42:17.160Z, duration=00:01:30.000, eventTitle=CHRISITAN MISSION , contentType=Commercial), Event…
This is my code so far;
| rex "\-\s+(?<channel_name>.+)\:\sVUpdate" | stats values(eventNumber) by channel_name channelCode utcStartDateTime eventTitle duration
... View more