Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split multi-line events at search time?

aa123s
Explorer
‎02-14-2018 09:26 AM

I have events that look like this:

[abc] logline1
[def] logline 2
[ghi] logline 3

and I would like to split those events at search time into 3 single line events.
Is that possible?

Thanks!

P.S.
I Know this should be done at Indexer / Heavy Forwarder level using LINE_BREAKER, but that's not an option at this time.

Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎02-14-2018 09:49 AM

hello there,

maybe try the mvexpand command
check i tout:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Mvexpand

View solution in original post

Reply
Solved! Jump to solution

msquicc
Explorer
‎05-25-2022 08:28 AM

here's what I came up with.  seems to work pretty well without modifying the data:

 

| makeresults | eval _raw = "[abc] logline1
[def] logline 2
[ghi] logline 3"


| eval raw=_raw
| makemv tokenizer="(.*(\r\n|\r|\n|$))" raw
| mvexpand raw
| rename raw as _raw
0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-14-2018 11:36 AM

Referring to your previous question:

https://answers.splunk.com/answers/618398/why-is-splunk-not-breaking-each-log-line-into-sing.html#an...

I strongly suggest working now to get these logs indexed properly instead of trying to solve this problem at search time. You will end up being frustrated time and time again if your events are not indexed properly.

0 Karma
Reply
Solved! Jump to solution

aa123s
Explorer
‎02-14-2018 11:54 AM

I got that, Thanks. We are already working to add correct indexing at forwarder level. In the mean time, however, we need this workaround.

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎02-14-2018 09:49 AM

hello there,

maybe try the mvexpand command
check i tout:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Mvexpand

Reply
Solved! Jump to solution

aa123s
Explorer
‎02-14-2018 11:14 AM

Before posting I tried this:
| rex mode=sed "s/([\r\n]+)/##LF##/g" | makemv _raw delim="##LF##" | mvexpand _raw

but I couldn't make it work. Events are joined in a long string separated by ##LF##, but then those lines don't split back into separate events

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎02-14-2018 11:20 AM

Try like this. The mvexpand command doesn't seem to work with fields starting with underscore.

your base search | rex mode=sed "s/([\r\n]+)/##LF##/g" | makemv _raw delim="##LF##" | rename _raw as raw | mvexpand raw | rename raw as _raw
Reply
Solved! Jump to solution

aa123s
Explorer
‎02-14-2018 11:49 AM

Super! Its almost working: the remaining problem is that lines are being re-grouped in reverse order... Could that be fixed? Thanks!

0 Karma
Reply
Solved! Jump to solution

aa123s
Explorer
‎02-14-2018 11:58 AM

I'm sorry my comment was incomplete. I meant rows are being re-grouped in reverse order when I pipe the output of your solution to transaction ...
It normally doesn't happen

0 Karma
Reply
Solved! Jump to solution

aa123s
Explorer
‎02-14-2018 12:05 PM

I ended up adding | reverse at the end... go figure why that happens!...
Thanks a lot!

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...