Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

is a multi-line value possible for dedicated key-value pairs of an event?

DrFedtke
Explorer
‎05-28-2019 12:39 AM

dear splunk communitiy,

we create events of an own format and everything principally works well:

for example, an event looks like

SF_SPLUNK_EVENT^eventId=EVT_1019^alertLevel=2^ ... ^dateTime=Jul 02 2018 11:49:49^title=SPLUNK_SHER_DATA ---^standard=Sherlock-z/OS^msg=SHKI6209 RESOURCE ALERT CONCERNING 006 <-> "RES...

as you see it's in principal a single-line event. means 1 record/line = 1 event in splunk.

specialty:
one field/key in our event actually is a multi-line field, namely the msg= field.
means the value of key "msg=" includes a multi-line message, and we
have converted the original/actual format for splunk into a single-line text
by separating the lines via a "<->" separator (that we can easily change if it
helps to accomplish our mission).

OUR KIND QUESTION: is there a way to tell splunk that the msg= field
is a multi-line field, and it should be displayed as such by honoring the
given line separator?

OR would it be an alternative that we include each single line via an
own msg=... key value pair?

thanks a lot for your feedback

best regards
stephen

0 Karma
Reply

DMohn
Motivator
‎05-28-2019 03:27 AM

If you need the event to be multi-line in Splunk, I would recommend to leave it multi-line while forwarding it.

What was the original purpose of converting it to a single-line event? Line-/event-breakting issues? In that case I'd suggest to review your props.sonf setting for the particular sourcetype, so the events will be broken correctly even if they come in as multiline.

You cold try the following settings:

[your_sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(SF_SPLUNK_EVENT)

This should break the incoming events at the string "SF_SPLUNK_EVENT" - leaving other linebreaks as they are. So there will be no need to further convert a field from single to multi anymore.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...