- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- extract multi lines fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
extract multi lines fields
We are logging the following application network statistics. I want to be able to index the data into splunk so we can generate reports on it.
The First line consists of the following fields:
timestamp, site name, remote server name , local server name
Other lines of the same record consists of the following fields:
statistic name : message type : origin Node : statistic Value
This is the actual log:
1386704158913 SITE-A,remoteServer1,localhost
receivedMessages:AAA:NODE1:10
receivedMessages:BBB:NODE1:10
sentMessages:CCC:NODE2:10
discMessages:AAA:NODE1:1
discMessages:BBB:NODE2:1
1386704158913 SITE-A,remoteServer2,localhost2
receivedMessages:FFF:NODE1:10
receivedMessages:GGG:NODE1:10
sentMessages:HHH:NODE2:10
discMessages:FFF:NODE1:1
discMessages:III:NODE2:1
Is there a way to extract all the fields above from that log format?
Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use Regext to extract the time, then MVEXPAND then you will be able to have the correlation. Then make the extractions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can easily do that by adjusting the line breaking in props.conf
Have a play with regular expressions and the options under "Attributes that are available only when SHOULD_LINEMERGE is set to true" in
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Indexmulti-lineevents
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, you should not break them into single-line events, for the exact reasons that you mention. My question was if you had succeeded in creating the (multi-line) events correctly in splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i break the log/lines into individual events, wont i loos the correlation between the first line (which consists of the event time stamp and other shared fields) and the other sub lines?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any problems with breaking the log into indvidual events? Or is it only regarding the field extraction?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
