Dashboards & Visualizations

Need help for line breaking

RobertRi
Communicator

Hi

I have a problem with an logifle wich has over 95% single line events and a few multiline events.

These multiline events have this format

START*A .....
   ....
   ....
   ....
END

How can I configure I splunk to keep this lines together as a one multiline event?

Thanks for your help
Rob

Tags (2)
0 Karma

RobertRi
Communicator

Yes, the inner multiline lines are indented with tabs

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Then:

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?:XSET|XGET|START|\?|XKS|XDEL)

may do it. Or,

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?!(?:END|\t))
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

for best performance, you want to set SHOULD_LINEMERGE = false, which disables all rules other than LINE_BREAKER. but generally indexing performance is not a problem and so a clearer rule may be better.

0 Karma

RobertRi
Communicator

I have played around with the data preview in the UI (really cool thing!) and found that this works too.

MUST_NOT_BREAK_AFTER=^START\*\w+\s
MUST_BREAK_AFTER=^END
SHOULD_LINEMERGE= true

In case of performance, did you recommend your solution with the LINE_BREAKER or my way?

Thank you very much for your help!
Rob

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

So, with the multi-line events, are the inner lines actually indented with spaces or tabs? Or is that just how you formatted it?

0 Karma

RobertRi
Communicator

The single lines are really different
They begin with ..

XSET
XGET
START ......... END
?
XKS
XDEL

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

what do the single line events look like?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...