Solved: How to Segregate my events field every line, such ...

rohithmn3 · ‎03-28-2017

Hi Team,

Below is the single event for my search query:

SAS NodeAgent APPSERVER Service is Running
SAS JVM1 SASQC1AUQ4066LS03 Service is Running
SAS JVM2 SASQC1AUQ4066LS02 Service is Running
SAS JVM3 SASQC1AUQ4066LS01 Service is Running

I want each line to be a single event.

Event1 -  SAS NodeAgent APPSERVER Service is Running

Event2- SAS JVM1 SASQC1AUQ4066LS03 Service is Running

How can i achieve this. Please assist.

DalJeanis · ‎03-28-2017

This example is at search time.

This makes your test data...

| makeresults 
| eval _raw=" SAS NodeAgent APPSERVER Service is Running
 SAS JVM1 SASQC1AUQ4066LS03 Service is Running
 SAS JVM2 SASQC1AUQ4066LS02 Service is Running
 SAS JVM3 SASQC1AUQ4066LS01 Service is Running"

This puts flags into it before each " SAS " line, converts it into a multivalue field, and then breaks it into multiple events

| rename _raw as raw 
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g" 
| rex field=raw mode=sed "s/^!!!! SAS / SAS /" 
| makemv delim="!!!!" raw 
| mvexpand raw 
| rename raw as _raw

The renaming is because the internal field _raw has some special properties that we do not want to engage with.

This version assumes that there is other data before the first SAS line that needs to be copied onto each of the breakout records.

| makeresults 
| eval _raw="junk stuff that we don't care about but which needs to be on every line
 SAS NodeAgent APPSERVER Service is Running
 SAS JVM1 SASQC1AUQ4066LS03 Service is Running
 SAS JVM2 SASQC1AUQ4066LS02 Service is Running
 SAS JVM3 SASQC1AUQ4066LS01 Service is Running"
| rename _raw as raw 
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g" 
| makemv delim="!!!!" raw 
| eval _raw = mvindex(raw,0)
| eval raw = mvindex(raw,1,mvcount(raw))
| mvexpand raw 
| eval _raw = _raw.raw

View solution in original post

DalJeanis · ‎03-28-2017

This example is at search time.

This makes your test data...

| makeresults 
| eval _raw=" SAS NodeAgent APPSERVER Service is Running
 SAS JVM1 SASQC1AUQ4066LS03 Service is Running
 SAS JVM2 SASQC1AUQ4066LS02 Service is Running
 SAS JVM3 SASQC1AUQ4066LS01 Service is Running"

This puts flags into it before each " SAS " line, converts it into a multivalue field, and then breaks it into multiple events

| rename _raw as raw 
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g" 
| rex field=raw mode=sed "s/^!!!! SAS / SAS /" 
| makemv delim="!!!!" raw 
| mvexpand raw 
| rename raw as _raw

The renaming is because the internal field _raw has some special properties that we do not want to engage with.

This version assumes that there is other data before the first SAS line that needs to be copied onto each of the breakout records.

| makeresults 
| eval _raw="junk stuff that we don't care about but which needs to be on every line
 SAS NodeAgent APPSERVER Service is Running
 SAS JVM1 SASQC1AUQ4066LS03 Service is Running
 SAS JVM2 SASQC1AUQ4066LS02 Service is Running
 SAS JVM3 SASQC1AUQ4066LS01 Service is Running"
| rename _raw as raw 
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g" 
| makemv delim="!!!!" raw 
| eval _raw = mvindex(raw,0)
| eval raw = mvindex(raw,1,mvcount(raw))
| mvexpand raw 
| eval _raw = _raw.raw

rohithmn3 · ‎03-29-2017

Thanks..! It worked

DalJeanis · ‎03-28-2017

Does every line begin with "SAS"? Is there any other information in the _raw for the event? Can you post a full example event, in the exact format they occur (without sensitive data, obviously).

How to Segregate my events field every line, such that each line should be an event

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life