Solved: DBConnect - Problem with multiline cells

bizza · ‎05-28-2014

Hi,
I configured dbconnect as tail-input on a Oracle database.
My problem is when I found a record with a multiline cell, usually when a SQL query is stored inside the cell.
Splunk split that record: there is a way to avoid it?

For example:

field1 | field2 | field3
ID | TIMESTAMP | SELECT * FROM TABLE;

works fine.

field1 | field2 | field3
ID | TIMESTAMP | SELECT * FROM TABLE
WHERE someoption blablabla;

Got me 2 events, and the second one is "WHERE someoption blablabla;" , without any interesting fields, so it cannot be correlated correctly to any other fields.

Any hints?

Regards

abonuccelli_spl · ‎05-29-2014

what does your db-tail input look like?

I can get multiline events broken down ok without actually touching props.conf...

Do you have multiline key-value output.format set?

output.format = mkv

View solution in original post

abonuccelli_spl · ‎05-29-2014

what does your db-tail input look like?

I can get multiline events broken down ok without actually touching props.conf...

Do you have multiline key-value output.format set?

output.format = mkv

bizza · ‎06-05-2014

mkv solved my issue.
Now I'll works on new props/transforms regex, but now splunk splits records correctly.

ciao

abonuccelli_spl · ‎05-28-2014

have you tried configuring props.conf with linemerging?

bizza · ‎05-28-2014

Yes, True first and then False.
I tried a non-matching truncate regexp too.

DBConnect - Problem with multiline cells

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!