Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Consume Free-Form text

kmattern
Builder
‎11-03-2011 08:22 AM

I have a help desk database in SQL Server that I want to export to log type files and have Splunk consume. I'm not having any trouble getting the data into Splunk but I can't seem to get Splunk to understand where the boundaries for each record/event is. I have defined my output as follows:



TicketNum=000001

CustName=Bob Smith

CallDate=2011-11-01

Status=Closed

CallDesc=Mr. Smith had trouble accessing his hydro accelerator while in mimsy mode.

CallResolution=Told Mr. Smith that he had to be sure his vorbis was in gear

Of course the CallDesc and CallResolution fields can be quite long. They contain copies of emails, comments and more. I have been careful to separate them with only line feeds. The only carriage return/linefeed is at the end of each record/event. There are 14 fields in each record/event.

When I run a search on the raw data many of the records/events run together and they do not necessarily break at the end of a record/event. Yet others do. I have set the DELIMS="\n" in transforms.conf but it doesn't seem to help.

Does anyone know how I can break these records/events out properly?

Thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎11-03-2011 09:51 AM

You will need to instruct Splunk that this is a mulit-line event and also tell it where the line breakers are. Assuming that the TicketNum field is where a new event starts try this in your $SPLUNK_HOME/etc/system/local/props.conf:

[yoursourcetype]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ^TicketNum

View solution in original post

Reply
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎11-03-2011 09:51 AM

You will need to instruct Splunk that this is a mulit-line event and also tell it where the line breakers are. Assuming that the TicketNum field is where a new event starts try this in your $SPLUNK_HOME/etc/system/local/props.conf:

[yoursourcetype]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ^TicketNum
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎11-03-2011 08:36 AM

Try using DELIMS="([\r\n])+" as there may be carriage returns and/or new lines.

Hope this helps

> please upvote and accept answer if you find it useful - thanks!

0 Karma
Reply
Solved! Jump to solution

kmattern
Builder
‎11-03-2011 08:49 AM

That didn't seem to do anything different. Maybe part of the problem is that in the free-form text theare are usually a number of dates. Emails are copied comppletely into these records and that includes the date and time of the email. I moved all of my date fields to the top of the event but that didn't seem to help either.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...