I've got a table that I am pulling data into Splunk with DB Connect. I've got the database input and database connection created. I figured I would use Key-Value format for the output format as I have some columns that have multiline data in them and it appears that it is smart enough to figure that out and it quotes the column data and changing literal quotes in the data to escaped quotes. However, when I do searches on the data the multiline fields are being broken at the first line break or escaped quote. I've tried every output format that there is. I'm sure there is a way to fix this, but my hunch is I'm going to have to edit a props.conf file for it as I can't find anything in the interface to tell it how to behave the way I want. Am I correct in this?
Hello,
I' using the multi-line key-value format. Here it looks inside $SPLUNK_HOME/etc/apps/dbx/local/inputs.conf
:
[dbmon-tail://KKK/KKK Alerts]
index = ws_kkk_alerts
interval = 240
output.format = mkv
output.timestamp = 1
output.timestamp.column = LastModifiedUTC
output.timestamp.parse.format = yyyy-MM-dd' 'HH:mm:ss' 'Z
output.timestamp.format = yyyy-MM-dd' 'HH:mm:ss' 'Z
query = SELECT bla bla bla.... {{AND av.$rising_column$ > ?}}
sourcetype = kkk_alerts
tail.rising.column = LastModified
disabled = 0
table = KKK Alerts
Note the output.format = mkv
.
After using mkv, there is one event for each row. This is working fine.
But, the field that contains the text spanning multiple lines is truncated. It is not displaying the whole text. Could anyone please comment as to why is this happening?
I tried mkv and it didn't work.The line break in the returned data was still messing up the field extraction.
ok.. but is the event being split in multiple events? I mean, is a single DB row output by the query being broken into multiple events or is just the fact that the field extraction is broken?