All Apps and Add-ons

How to add event breaks after indexing a file in splunk

harinivgr
Explorer

I have a folder, which contains multiple files. I have indexed the folder as continuous monitoring. I have used rex in my query to extract the fields. The rex would work only if i change event breaks to every line. But, the problem is when I index a folder as continuous monitoring the step where would I select event breaks to every line is automatically skipped. Is there any way to solve this issue? Can I add event breaks after indexing a file?

0 Karma

Sukisen1981
Champion

hi @harinivgr
try this

 | rex max_match=0 "^(?<lines>.+)\n+"
| table lines
| mvexpand lines
0 Karma

Sukisen1981
Champion

hi @harinivgr
Please accept the answer if it significantly helped resolve your issue or let us know if there are any more issues

0 Karma

Sukisen1981
Champion

you can add event breaks and make your _raw look like separate events, can you please give a sample of your event and where you want to break those events?

0 Karma

Sukisen1981
Champion

could you add a sample of your events? This is possible both before and after indexing but we need to see your event sample

0 Karma

harinivgr
Explorer

-- Printed: 19/08/14 At: 02:19 Hrs. --
-- By: IBMUSER Page No.: 1 --



VOLUME FREE % ALLOC FRAG LARGEST FREE INDEX FREE FREE DEVICE DEV SHR USE RD CACHE DASD FW CACHE FW D
SERIAL SPACE FREE SPACE INDEX EXTENT EXTENTS STATUS DSCBS VIRS TYPE NUM DASD ATTR STATUS STATUS STATUS S
-(2)-- ---(3)--- (4)- ---(5)--- -(6)- ---(7)--- --(8)-- --(9)--- -(10)-- -(11)-- -(12)-- (13) (14) (15) --(16)-- --(17)-- --(18)-- -
TMPWKA 8404976K 84 1555493K 0 8404976K 1 ENABLED 7489 1223 3390-9 0B0A NO PRIV ACTIVE ACTIVE ACTIVE S
TMPWKB 9870825K 99 89644K 0 9870825K 1 ENABLED 7494 1223 3390-9 0B0B NO PRIV ACTIVE ACTIVE ACTIVE S
TMPWKC 9808572K 98 151897K 0 9808572K 1 ENABLED 7495 1223 3390-9 0B0C NO PRIV ACTIVE ACTIVE ACTIVE S
VDANBA 722964K 17 3427231K 109 422435K 7 ENABLED 701 285 3390-9 1A1F NO PRIV ACTIVE ACTIVE ACTIVE S
VDAUTJ 270648K 27 725399K 18 263122K 4 ENABLED 697 289 3390-9 19DE NO PRIV ACTIVE ACTIVE ACTIVE S
VDBAQB 321336K 32 674711K 73 245692K 4 ENABLED 719 289 3390-9 1A15 NO PRIV ACTIVE ACTIVE ACTIVE S
VDCAVA 95454K 66 49803K 0 95454K 1 ENABLED 722 290 3390-9 0B57 NO PRIV ACTIVE ACTIVE ACTIVE S
VDCDPA 729770K 73 266277K 0 729604K 3 ENABLED 708 289 3390-9 1A18 NO PRIV ACTIVE ACTIVE ACTIVE S
VDCHCA 1590632K 87 235454K 0 1590632K 1 ENABLED 715 288 3390-9 18DE NO PRIV ACTIVE ACTIVE ACTIVE S
VDDB1A 575438K 43 752625K 0 575217K 2 ENABLED 7481 2515 3390-9 1990 NO PRIV ACTIVE ACTIVE ACTIVE S
VDDB1B 301747K 23 1026316K 205 151067K 14 ENABLED 7457 2515 3390-9 1991 NO PRIV ACTIVE ACTIVE ACTIVE S
VDDCFA 11953K 6 178956K 37 11621K 4 ENABLED 707 311 3390-9 0CD7 NO PRIV ACTIVE ACTIVE ACTIVE S

The above is sample data. I have 3 files inside a single folder. While adding this folder as continuous monitoring, splunk skipped setting event break step. But while adding as a single file, we can break the event as single line. So, we need to set event break to every line after adding folder.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...