Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Showing multiline _raw data in a table

Hazel
Communicator
‎04-27-2010 03:05 PM

Hello,

I am rewriting this - hope it makes more sense. I have config files, which I am passing into splunk as follows.

The file is a list of comments (which I dont want) followed by stuff i do want that starts with the word sample, so i use this, split at sample, then delete anything that starts with a # (the comments)

[queueconfig]
CHECK_METHOD = entire_md5
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^sample
TRANSFORMS-emsThree = commentRemoval

[commentRemoval]
REGEX=^#
DEST_KEY = queue
FORMAT = nullQueue

You end up with an event, e.g

sample
sample1
queue1
topic1

What I want, is to now put this data into a multiline field, but it doesnt work.

I have tried the following

[multiLineTopic] 
REGEX = (?m-s)(.*) 
MV_ADD = true FORMAT = config::$1

This hangs, never returns 

[multiLineTopic] 
REGEX = (?m-s)(.*) 
FORMAT = config::$1

This just stores the first line of text from the event eg sample

[multiLineTopic] 
REGEX = (?s)(.*) 
MV_ADD = true 
FORMAT = config::$1

This stores all lines, but in one single long line, no new line characters. eg sample sample1 queue1 ....

I am looking to see a multilined field, like in the raw data.

Hope this makes more sense now. Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Johnvey
Contributor
‎04-28-2010 12:41 AM

To clarify, there are 2 distinct items here: multi-line data, and a multi-value field.

  • multi-line event: this is a single event that contains multiple lines, which may contain some number of fields, ex: a Java stack trace
  • multi-value field: this is a single field within an event that may contain more than one value, ex: to_address=bob@example.com,joe@example.com,jane@example.com

The current table renderer that ships with Splunk 4.0+ will render multi-value fields on separate lines, but render a multi-line event as a single line. Obviously the raw event renderer will always show multi-line events with line breaks preserved.

If you want to render multi-line events in a table with line breaks preserved, you can add a CSS rule to the desired table (either via an application.css or other custom CSS file). In the meantime, I will file this as an enhancement request.

View solution in original post

Reply
Solved! Jump to solution
Solution

Johnvey
Contributor
‎04-28-2010 12:41 AM

To clarify, there are 2 distinct items here: multi-line data, and a multi-value field.

  • multi-line event: this is a single event that contains multiple lines, which may contain some number of fields, ex: a Java stack trace
  • multi-value field: this is a single field within an event that may contain more than one value, ex: to_address=bob@example.com,joe@example.com,jane@example.com

The current table renderer that ships with Splunk 4.0+ will render multi-value fields on separate lines, but render a multi-line event as a single line. Obviously the raw event renderer will always show multi-line events with line breaks preserved.

If you want to render multi-line events in a table with line breaks preserved, you can add a CSS rule to the desired table (either via an application.css or other custom CSS file). In the meantime, I will file this as an enhancement request.

Reply
Solved! Jump to solution

Hazel
Communicator
‎04-28-2010 08:18 AM

Thankyou, this makes things clearer. It would be great to have this added as an enhancement

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-27-2010 05:13 PM

I don't know what your field extractions look like, but you should use a multivalued field for each config line, then:

... | stats list(config) by Application

A multivalue extraction might look in transforms.conf like:

[config-lines]
REGEX = (?m-s)^(?<config>[^\V]*)$
MV_ADD = true
0 Karma
Reply
Solved! Jump to solution

Hazel
Communicator
‎04-28-2010 08:26 AM

Hello. Not to worry, I was misunderstanding the answer - as pointed out above now, I can't have a multiline field. However, I am now trying to implement your stats list which was working great on individual searches until I tried to join them, would you have any ideas? - http://answers.splunk.com/questions/1912/using-multiple-stats-list

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2010 12:51 AM

And what about the one I provided? It should do the same as the first one you tried that hangs, but I don't see why it would hang.

0 Karma
Reply
Solved! Jump to solution

Hazel
Communicator
‎04-27-2010 07:28 PM

Hello. I have rewritten my question, now that I have tried to implement your transform, I see this is the best way, to get a multi line field - but i can't get it to work. Any ideas?

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...