- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to brake my lines and treat my multiple events...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to brake my lines and treat my multiple events as multiple events
Hi all, I am monitoring a CSV file that has multiple lines and using a pipe as the delimiter:
I want to brake them to diferent events instead Splunk is treating it as one event with multiple lines. I do have props.conf set on the IDXs but didnt change nothing,
#My Props.conf
[my myfake-sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
INDEXED_EXTRACTIONS=PSV
KV_MODE=none
disabled=false
category=Structured
pulldown_type=true
FIELD_DELIMITER=|
FIELD_NAMES=eruid|description|
My inputs.conf
[monitor:///my/fake/path/hhhh.csv*]
disabled = 0
sourcetype = hhhh:csv
index = main
crcSalt = <SOURCE>
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
eruid|description| batman|uses technology| superman|flies through the air| spiderman|uses a web| ghostrider| rides a motorcycle
regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You said yourself what the LINE_BREAKER is so Splunk breaks at the end of the line. BTW, you're using indexed extractions which might further complicate things.
I'd try to write a regex for breaking at every second pipe or at end of the line (if applicable). And _not_ use indexed extractions probably.
Something like
[^|]+\|[^|]+([\r\n|])
Bonus remark - are you sure you need crcsalt?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
