- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- How to get Splunk DB Connect to respect multiline ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get Splunk DB Connect to respect multiline data in a column?
I've got a table that I am pulling data into Splunk with DB Connect. I've got the database input and database connection created. I figured I would use Key-Value format for the output format as I have some columns that have multiline data in them and it appears that it is smart enough to figure that out and it quotes the column data and changing literal quotes in the data to escaped quotes. However, when I do searches on the data the multiline fields are being broken at the first line break or escaped quote. I've tried every output format that there is. I'm sure there is a way to fix this, but my hunch is I'm going to have to edit a props.conf file for it as I can't find anything in the interface to tell it how to behave the way I want. Am I correct in this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I' using the multi-line key-value format. Here it looks inside $SPLUNK_HOME/etc/apps/dbx/local/inputs.conf:
[dbmon-tail://KKK/KKK Alerts]
index = ws_kkk_alerts
interval = 240
output.format = mkv
output.timestamp = 1
output.timestamp.column = LastModifiedUTC
output.timestamp.parse.format = yyyy-MM-dd' 'HH:mm:ss' 'Z
output.timestamp.format = yyyy-MM-dd' 'HH:mm:ss' 'Z
query = SELECT bla bla bla.... {{AND av.$rising_column$ > ?}}
sourcetype = kkk_alerts
tail.rising.column = LastModified
disabled = 0
table = KKK Alerts
Note the output.format = mkv.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After using mkv, there is one event for each row. This is working fine.
But, the field that contains the text spanning multiple lines is truncated. It is not displaying the whole text. Could anyone please comment as to why is this happening?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried mkv and it didn't work.The line break in the returned data was still messing up the field extraction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok.. but is the event being split in multiple events? I mean, is a single DB row output by the query being broken into multiple events or is just the fact that the field extraction is broken?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
