Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to search across multiple lines in a text files

subbaraokvedams
Engager
‎09-28-2013 01:11 AM

In a log file, I have a section which is something similar as below:

Name: HOME_COMPUTER
Description: DELL HOME COMPUTER
Part-Number: 12345-678
Serial-Number: 9AV123AM345
Rev: X2
Dash-Level:
MFG-On: 2012-10-11 08:07:36
Status: OK

From the above lines in the log file, I would like to identify,
for a particular part number (in this case 12345-678),
if the serial number lies with a range (in this case if the 3 digits after the first 3 characters lies with 110 & 150)
if MFG-on is earlier to 12th Dec 2012
then raise an alert

I am a beginer in splunk and would like to have some guidance.

Tags (4)
Reply

subbaraokvedams
Engager
‎09-30-2013 06:49 AM

Hi Dwadlle,
Thank you for your prompt response.
The log file has both events based on timestamp and configuration section.
Can we use what you suggested just for the configuration section and use time stamp for rest of the log?
Or do you recommend 2 different queries - one for parsing the time stamp and other for parsing the configuration section?
With Best Wishes,
subba

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-28-2013 11:37 AM

You need to know if these lines from this log file are a single event or not. Splunk can easily read in multi-line events and it would not matter if the data you are looking for is in separate lines of the event or not.

Splunk's default configuration is to merge lines from a file into multi-line events, using the discovery of a timestamp in a line as the hint that a prior event is over and a new one has begun. If your log file has no other timestamp than the "MFG-ON" line you show, this may not be what you want.

In this case, I would probably suggest a custom LINE_BREAKER to make sure your multiple lines are correctly parsed into a single event. Then your search is easy. How to configure line breaking is covered in the Splunk Docs at http://docs.splunk.com/Documentation/Splunk/5.0.4/Data/Indexmulti-lineevents

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...