Deployment Architecture

DBConnect - Problem with multiline cells

bizza
Path Finder

Hi,
I configured dbconnect as tail-input on a Oracle database.
My problem is when I found a record with a multiline cell, usually when a SQL query is stored inside the cell.
Splunk split that record: there is a way to avoid it?

For example:

field1 | field2 | field3
ID | TIMESTAMP | SELECT * FROM TABLE;

works fine.

field1 | field2 | field3
ID | TIMESTAMP | SELECT * FROM TABLE
WHERE someoption blablabla;

Got me 2 events, and the second one is "WHERE someoption blablabla;" , without any interesting fields, so it cannot be correlated correctly to any other fields.

Any hints?

Regards

0 Karma
1 Solution

abonuccelli_spl
Splunk Employee
Splunk Employee

what does your db-tail input look like?

I can get multiline events broken down ok without actually touching props.conf...

Do you have multiline key-value output.format set?

output.format = mkv

View solution in original post

abonuccelli_spl
Splunk Employee
Splunk Employee

what does your db-tail input look like?

I can get multiline events broken down ok without actually touching props.conf...

Do you have multiline key-value output.format set?

output.format = mkv

bizza
Path Finder

mkv solved my issue.
Now I'll works on new props/transforms regex, but now splunk splits records correctly.

ciao

abonuccelli_spl
Splunk Employee
Splunk Employee

have you tried configuring props.conf with linemerging?

0 Karma

bizza
Path Finder

Yes, True first and then False.
I tried a non-matching truncate regexp too.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...