Splunk Search

Multline searches.

clintla
Contributor

I'd like to get a bunch of data from disk configuration but its all multi-line stuff.

Data Sample below but this really is about 5000 disk. Would like to do searches for
'capacity added up for all unbound' or 'capacity for all Fibre Channel'.

What is a good way to search for this when the data is laid out in sets? I've seen
the splunk documentation where is says splunk groups these together automatically but
not sure what it means by that & see no evidence that there is any relationship when
I do searches.

Bus 0 Enclosure 0 Disk 0

State: Unbound

Drive Type: Fibre Channel

Capacity: 375600

Bus 0 Enclosure 0 Disk 1

State: Enabled

Drive Type: Fibre Channel

Capacity: 375600

Bus 0 Enclosure 0 Disk 2

State: Enabled

Drive Type: SATA
Capacity: 20000000

0 Karma
1 Solution

hazekamp
Builder

clintla,

It is imperative when working with multi-line events that Splunk be given the appropriate line break settings for your data set. Once events are broken up properly you would easily be able to extract k-v pairs and search on the data. Here are some configurations to get you started.

## props.conf
[<spec>]
## Line break on "Bus...Enclosure...Disk"
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Bus\s+\d+\s+Enclosure\s+\d+\s+Disk\s+\d+
## I don't see date/time in your events so we set DATETIME_CONFIG = CURRENT
DATETIME_CONFIG = CURRENT
## This will extract k-v pairs
KV_MODE = None
REPORT-auto_kv_for_my_sourcetype = auto_kv_for_my_sourcetype

## transforms.conf
[auto_kv_for_my_sourcetype]
REGEX = ^([^:]+):([^\r\n]+)
FORMAT = $1::$2
MV_ADD = True

View solution in original post

clintla
Contributor

Nice. I'll give it a go.

Your right about the time-there is no time. (just a config file)

But say if we got the logs once a month could we track a disk over time?
say if it went from UNBOUND to ENABLED at some point? (a precursor in another
search for trending info)

0 Karma

hazekamp
Builder

If you are batch importing data w/o date/time information it becomes very difficult to track anything over time. I would recommend either collecting this data in nearer real-time or adding date/timestamps to your events.

0 Karma

hazekamp
Builder

clintla,

It is imperative when working with multi-line events that Splunk be given the appropriate line break settings for your data set. Once events are broken up properly you would easily be able to extract k-v pairs and search on the data. Here are some configurations to get you started.

## props.conf
[<spec>]
## Line break on "Bus...Enclosure...Disk"
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Bus\s+\d+\s+Enclosure\s+\d+\s+Disk\s+\d+
## I don't see date/time in your events so we set DATETIME_CONFIG = CURRENT
DATETIME_CONFIG = CURRENT
## This will extract k-v pairs
KV_MODE = None
REPORT-auto_kv_for_my_sourcetype = auto_kv_for_my_sourcetype

## transforms.conf
[auto_kv_for_my_sourcetype]
REGEX = ^([^:]+):([^\r\n]+)
FORMAT = $1::$2
MV_ADD = True
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...