Splunk Search

How can I break this two events?

prianticoy
Explorer

Hello!!!

Can you help me to break this two events, they must separated with this expression

WORD WORD WORD

We have this two events, so please use them as an example:

SUBPROCESS Process Termination
------------------------------
Username:          ZZZZ              UIC:               [1,4]
Account:           WWWWWW            Finish time:       29-OCT-2015 00:00:09.15
Process ID:        DDDDDDDD          Start time:        29-OCT-2015 00:00:09.14
Owner ID:          AAAAAAAA          Elapsed time:                0 00:00:00.01
Terminal name:                       Processor time:              0 00:00:00.02
Remote node addr:                    Priority:          4
Remote node name:                    Privilege <31-00>: FFFFFFFF
Remote ID:                           Privilege <63-32>: FFFFFFFF
Remote full name:
Posix UID:         -2                Posix GID:         -2 (%XFFFFFFFE)
Queue entry:                         Final status code: 00000001
Queue name:
Job name:
Final status text: %SYSTEM-S-NORMAL, normal successful completion
Page faults:               81        Direct IO:                  5
Page fault reads:          21        Buffered IO:              120
Peak working set:        1616        Volumes mounted:            0
Peak page file:        171680        Images executed:            3

NETWORK Process Termination
---------------------------
Username:          XXXX              UIC:               [1,4]
Account:           XDXDXD            Finish time:       29-OCT-2015 00:00:09.16
Process ID:        YYYYYYYY          Start time:        29-OCT-2015 00:00:05.82
Owner ID:                            Elapsed time:                0 00:00:03.34
Terminal name:                       Processor time:              0 00:00:00.16
Remote node addr:                    Priority:          4
Remote node name:                    Privilege <31-00>: FFFFFFFF
Remote ID:         NRPE              Privilege <63-32>: FFFFFFFF
Remote full name:  161.131.194.38
Posix UID:         -2                Posix GID:         -2 (%XFFFFFFFE)
Queue entry:                         Final status code: 00000001
Queue name:
Job name:
Final status text: %SYSTEM-S-NORMAL, normal successful completion
Page faults:              408        Direct IO:                119
Page fault reads:         108        Buffered IO:              793
Peak working set:        6912        Volumes mounted:            0
Peak page file:        176720        Images executed:            7


Thanks for your help!!!

Tags (1)
0 Karma

prianticoy
Explorer

Thanks for your answer, but I can't use the complete phrase as line breaker because the words are changing during the different events. I already work in the props file with this command: BREAK_ONLY_BEFORE and a regular expression, and didn't work...

I can't split it in the search statement because I'm trying to define the sourcetype...

Do you have another idea?

Thanks again!!!

0 Karma

HiroshiSatoh
Champion

If you split the time index・・・

props.conf

  [your_events]
  BREAK_ONLY_BEFORE = NETWORK Process Termination

If you split the search statement・・・

  (your search)|eval wk_raw=replace(_raw,"NETWORK Process Termination","[break]NETWORK Process Termination") |makemv delim="[break]" wk_raw | mvexpand wk_raw|eval _raw=wk_raw
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...