Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

need line breaking for the following data generated as CSV

ranjitbrhm1
Communicator
‎07-15-2018 06:31 AM

Good day All, My skill in regex is very limited. Can anyone help me with the props.conf for the following data? ITs being generated by a small application called SpeedFan. Its calculating the temperature of my machines and writing it to a CSV. my data looks like below. I can work on real time as the time requirement as well because the csv is being generated on real time. I can also do field extractions later during search phase as well which is not a problem. Only thing i cant get splunk to do is split these lines into individual events.

Seconds HD0 Temp1   GPU GPU Core 0  Core 1
61581   36.0    42.0    0.0 0.0 26.0    27.0
61584   36.0    42.0    0.0 0.0 25.0    25.0
61587   36.0    42.0    0.0 0.0 27.0    30.0
61590   36.0    42.0    0.0 0.0 24.0    25.0
61593   36.0    49.0    0.0 0.0 33.0    40.0
61596   36.0    41.0    0.0 0.0 23.0    25.0
61600   36.0    55.0    0.0 0.0 26.0    27.0
61603   36.0    41.0    0.0 0.0 25.0    25.0
61606   36.0    43.0    0.0 0.0 25.0    27.0
61609   36.0    43.0    0.0 0.0 26.0    26.0
61612   36.0    42.0    0.0 0.0 23.0    25.0
61615   36.0    41.0    0.0 0.0 23.0    24.0
61618   36.0    41.0    0.0 0.0 25.0    26.0
61621   36.0    46.0    0.0 0.0 32.0    49.0
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-15-2018 10:16 AM

Use INDEXED_EXTRACTIONS as documented here:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-15-2018 10:16 AM

Use INDEXED_EXTRACTIONS as documented here:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

0 Karma
Reply
Solved! Jump to solution

ranjitbrhm1
Communicator
‎07-23-2018 11:07 PM

Your answer was somewhat on point. It made me read about what excatly is Indexed extraction. At the end all i had to do is add the following line.
INDEXED_EXTRACTIONS =tsv

Thanks

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎07-15-2018 06:59 AM

A simple \n\" OR \n\W should work?

LINE_BREAKER=\n\W
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-15-2018 10:13 AM

LINE_BREAKER must have capture group.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2018 06:59 AM

Your example data is not CSV. It may be TSV (tab separated values). What is hurting you most, however, is the entire line being enclosed in quotes. Try these settings. You may want to experiment with settings in the Add Data wizard before committing them to your props.conf file. The quotation marks in the LINE_BREAKER attribute represent characters in your data - they don't enclose the line breaker itself.

SHOULD_LINEMERGE = false
LINE_BREAKER = ("[\r\n]+")
TRUNCATE = 200
DATETIME_CONFIG = CURRENT
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ranjitbrhm1
Communicator
‎07-15-2018 10:47 AM

I am clueless how this happened. Only when reading your comment i went back to check the data file again. There is no " there on the file. I just copy pasted the lines from the file on to the website without any form of editing.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...