I am indexing syslog traps stored to a file. I am building a transaction based on that where if the value of a particular field extracted with rex changes. However, it would seem sometimes that the indexer records two specific events as one. This is obviously messing with results, as the second event is not considered. I am looking for a workaround. This event represents two different events upon which my transaction search requires to function. If the second one isn't considered, my transaction command will fail:
Received Time:4/28/2016 8:40:55 AM
Source:
Community:jeQ2saFRaXaspAqa
Tag:= BLUE_PLANET
Variable Bindings
sysUpTime:= 0.03 second (3)
snmpTrapOID:= CYAN-MIB:cyan.6.1.3.60 (1.3.6.1.4.1.28533.6.1.3.60)
cyan.6.1.1.1.0:= 48548
cyan.6.1.1.2.0:= 10.252.4.17
cyan.6.1.1.3.0:= Nodename
cyan.6.1.1.4.0:= 3
cyan.6.1.1.5.0:= OCh Term.
cyan.6.1.1.6.0:= LINE_OCH-1-6-1-210
cyan.6.1.1.7.0:= 388
cyan.6.1.1.8.0:= 60
cyan.6.1.1.9.0:= High Rx Power
cyan.6.1.1.10.0:= 1
cyan.6.1.1.11.0:= 3
cyan.6.1.1.12.0:= 2
cyan.6.1.1.13.0:= 3
cyan.6.1.1.14.0:= Signal Degrade - High Received Power
cyan.6.1.1.15.0:= Cyan Z33
cyan.6.1.1.16.0:= TP_SD
snmpTrapEnterprise:= CYAN-MIB:cyanProducts.6 (1.3.6.1.4.1.28533.1.6)
Received Time:4/28/2016 8:40:56 AM
Source:
Community:jeQ2saFRaXaspAqa
Tag:= BLUE_PLANET
Variable Bindings
sysUpTime:= 0.01 second (1)
snmpTrapOID:= CYAN-MIB:cyan.6.1.3.60 (1.3.6.1.4.1.28533.6.1.3.60)
cyan.6.1.1.1.0:= 48557
cyan.6.1.1.2.0:= 10.252.4.17
cyan.6.1.1.3.0:= Nodename
cyan.6.1.1.4.0:= 3
cyan.6.1.1.5.0:= OCh Term.
cyan.6.1.1.6.0:= LINE_OCH-1-6-1-210
cyan.6.1.1.7.0:= 388
cyan.6.1.1.8.0:= 60
cyan.6.1.1.9.0:= High Rx Power
cyan.6.1.1.10.0:= 0
cyan.6.1.1.11.0:= 3
cyan.6.1.1.12.0:= 2
cyan.6.1.1.13.0:= 1
cyan.6.1.1.14.0:= Signal Degrade - High Received Power
cyan.6.1.1.15.0:= Cyan Z33
cyan.6.1.1.16.0:= TP_SD
snmpTrapEnterprise:= CYAN-MIB:cyanProducts.6 (1.3.6.1.4.1.28533.1.6)
How can I tell splunk how to split these up into two separate events?
Here is some great documentation on how you can break events.
http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Indexmulti-lineevents
Here is some great documentation on how you can break events.
http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Indexmulti-lineevents