Getting Data In

How to Segregate my events field every line, such that each line should be an event

rohithmn3
New Member

Hi Team,

Below is the single event for my search query:

SAS NodeAgent APPSERVER Service is Running
SAS JVM1 SASQC1AUQ4066LS03 Service is Running
SAS JVM2 SASQC1AUQ4066LS02 Service is Running
SAS JVM3 SASQC1AUQ4066LS01 Service is Running

I want each line to be a single event.

Event1 -  SAS NodeAgent APPSERVER Service is Running

Event2- SAS JVM1 SASQC1AUQ4066LS03 Service is Running

How can i achieve this. Please assist.

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

This example is at search time.

This makes your test data...

| makeresults 
| eval _raw=" SAS NodeAgent APPSERVER Service is Running
 SAS JVM1 SASQC1AUQ4066LS03 Service is Running
 SAS JVM2 SASQC1AUQ4066LS02 Service is Running
 SAS JVM3 SASQC1AUQ4066LS01 Service is Running"

This puts flags into it before each " SAS " line, converts it into a multivalue field, and then breaks it into multiple events

| rename _raw as raw 
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g" 
| rex field=raw mode=sed "s/^!!!! SAS / SAS /" 
| makemv delim="!!!!" raw 
| mvexpand raw 
| rename raw as _raw

The renaming is because the internal field _raw has some special properties that we do not want to engage with.


This version assumes that there is other data before the first SAS line that needs to be copied onto each of the breakout records.

| makeresults 
| eval _raw="junk stuff that we don't care about but which needs to be on every line
 SAS NodeAgent APPSERVER Service is Running
 SAS JVM1 SASQC1AUQ4066LS03 Service is Running
 SAS JVM2 SASQC1AUQ4066LS02 Service is Running
 SAS JVM3 SASQC1AUQ4066LS01 Service is Running"
| rename _raw as raw 
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g" 
| makemv delim="!!!!" raw 
| eval _raw = mvindex(raw,0)
| eval raw = mvindex(raw,1,mvcount(raw))
| mvexpand raw 
| eval _raw = _raw.raw

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

This example is at search time.

This makes your test data...

| makeresults 
| eval _raw=" SAS NodeAgent APPSERVER Service is Running
 SAS JVM1 SASQC1AUQ4066LS03 Service is Running
 SAS JVM2 SASQC1AUQ4066LS02 Service is Running
 SAS JVM3 SASQC1AUQ4066LS01 Service is Running"

This puts flags into it before each " SAS " line, converts it into a multivalue field, and then breaks it into multiple events

| rename _raw as raw 
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g" 
| rex field=raw mode=sed "s/^!!!! SAS / SAS /" 
| makemv delim="!!!!" raw 
| mvexpand raw 
| rename raw as _raw

The renaming is because the internal field _raw has some special properties that we do not want to engage with.


This version assumes that there is other data before the first SAS line that needs to be copied onto each of the breakout records.

| makeresults 
| eval _raw="junk stuff that we don't care about but which needs to be on every line
 SAS NodeAgent APPSERVER Service is Running
 SAS JVM1 SASQC1AUQ4066LS03 Service is Running
 SAS JVM2 SASQC1AUQ4066LS02 Service is Running
 SAS JVM3 SASQC1AUQ4066LS01 Service is Running"
| rename _raw as raw 
| rex field=raw mode=sed "s/ SAS /!!!! SAS /g" 
| makemv delim="!!!!" raw 
| eval _raw = mvindex(raw,0)
| eval raw = mvindex(raw,1,mvcount(raw))
| mvexpand raw 
| eval _raw = _raw.raw
0 Karma

rohithmn3
New Member

Thanks..! It worked

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Does every line begin with "SAS"? Is there any other information in the _raw for the event? Can you post a full example event, in the exact format they occur (without sensitive data, obviously).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...