Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Break Log file with header and details into events

warrenpage
Explorer
‎04-26-2011 06:11 PM

I have a log file that looks generally like this

Header data  time=xxxxxx  databasename=yyyyyyy  numberortables=xx
Detail tablename=table1  rowsread=1111
Detail tablename=table2  rowsread=2222

I know I could break events on each detail record. However is there a way to configure my props.conf file so it pushes/collect the Data from the header into the detail events somehow?

This is so I could do a search on say databasename=xxx and tablename=yyy?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-26-2011 11:32 PM

Generally speaking there is no way to force that Header into each Detail record such that you have:

Event 1:
Header 1
Detail A

Event 2:
Header 1
Detail B

Depending on the number of "Detail" records you could create a multi-line event. I wouldn't recommend creating events w/ linecount>500. Given that the row count for an event = (# of tables) + 1 (header) you should be under that mark. You would essentially be creating a single event for each database.

Event 1:
Header 1
Detail A
Detail B
Detail C

Event 2:
Header 2
Detail X
Detail Y
Detail Z

View solution in original post

Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-26-2011 11:32 PM

Generally speaking there is no way to force that Header into each Detail record such that you have:

Event 1:
Header 1
Detail A

Event 2:
Header 1
Detail B

Depending on the number of "Detail" records you could create a multi-line event. I wouldn't recommend creating events w/ linecount>500. Given that the row count for an event = (# of tables) + 1 (header) you should be under that mark. You would essentially be creating a single event for each database.

Event 1:
Header 1
Detail A
Detail B
Detail C

Event 2:
Header 2
Detail X
Detail Y
Detail Z
Reply
Solved! Jump to solution

warrenpage
Explorer
‎04-28-2011 06:38 PM

Thanks I suspected as much.

I think I will just need to run the file through awk first to create full detail records like

time=xxxxxx databasename=yyyyyyy tablename=table1 rowsread=1111
time=xxxxxx databasename=yyyyyyy tablename=table2 rowsread=2222

In the meantime just doing without the header fields and marking the details as events separately.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...