- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splitting one event into multiple events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should be a simple question. In fact, I've succeeded in doing this before, but I no longer have that app and I can't recall the solution.
I run a script that outputs something like the following:
Queue Status
----- ------
MTAB208A READY
MTAB310C READY
MTAB318A READY
MTAB318B READY
I want Splunk to alert me when the "READY" status changes to "DOWN" (or something other than "READY").
So I wrote a script that uses sed to remove the first two lines, so the output becomes:
MTAB208A READY
MTAB310C READY
MTAB318A READY
MTAB318B READY
I want Splunk to extract two fields: queue and status. This is easy enough except I want each of those queues to be its own event. Instead, I get one big event containing all four queues.
How do I get each of those queues to be its own event? I know there's an easy way to do this but I'm having a mind block here. (I suppose the other option is to do away with the sed trimming and use multikv, but I think that might over-complicate this.)
I tried using LINE_BREAKER in props.conf but that didn't do anything:
LINE_BREAKER = ^\w+\s+\w+
Update: Figured it out! I needed to use "MUST_BREAK_AFTER". Oh yeah, and bounce Splunk after updating props.conf.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should split the events at index time by specifying something like this in your props.conf:
[your_sourcetype]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current
LINE_BREAKER=([\r\n]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried it after changing /opt/splunkforwarder/etc/apps/Metro_TA_iibcorp/local/props.conf but it fails again to split the EventType.
[metro:iibcorpqmon]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current
LINE_BREAKER=([\r\n]+)
Is the props .conf in the correct place?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@AmitKapila - This question is quite old and it may not garner the type of attention and activity that you seek. I would suggest posting a new question. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should split the events at index time by specifying something like this in your props.conf:
[your_sourcetype]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current
LINE_BREAKER=([\r\n]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aaaah okay. I got it working with: MUST_BREAK_AFTER = ^\w+\s+\w+ Does that seem reasonable too? Thanks!
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
