Getting Data In

How can I break up one long line into multiple events?

snorri
Path Finder

I have a file that contains one really long line, see below

Example:
["2017-10-09 13:05",976.0,"OK"],["2017-10-09 13:06",908.0,"OK"],["2017-10-09 13:07",1001.0,"OK"] ...... And so on..

How can I break up each ["2017-10-09 13:05",976.0,"OK"] into events?

I first tried to accomplish this in props.conf with no luck.
So now Im adding the file using "upload file" just to see if I can breake the line, still with no luck..

Any pointers would be much appriciated

0 Karma

cmerriman
Super Champion

in props.conf you should be able to configure line breaking. a regex of something like LINE_BREAKER=\]([,])might do the trick.

you can also do this via the UI. Just go to Add Data>Monitor/Upload/Forward. Eventually, you'll get to the Set Sourcetype stage and you can configure the event breaks there. you can see where/how the events are going to break and adjust accordingly.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Modifyeventprocessing

skalliger
SplunkTrust
SplunkTrust

Hi,

what did you try to do in your props.conf?
What you are looking for is the BREAK_ONLY_BEFORE (or MUST_BREAK_AFTER) setting.
I would go with somethign like this:

[your_sourcetype (defined in inputs.conf)]
MUST_BREAK_AFTER = (\"\]\,)

So, your event gets broken after the comma.

Skalli

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...