从文本文件中搜索一行
我有一个带有分号的文件;分隔文本文件。它已在 splunk 中编入索引。
INSERT INTO `account` VALUES ('abc');
INSERT INTO `account` VALUES ('xyz');
INSERT INTO `account` VALUES ('pqr');
INSERT INTO `account` VALUES ('mnp');
当我搜索“pqr”时,它应该只显示 1 行。目前它还显示下一行“mnp”。文件中没有时间戳,splunk 仍然按日期时间对行进行分组。例如,上面提到的所有行在 06/09/2011 19:01:17.000 下作为一组列出,
如何在从分号分隔的文件中搜索时仅返回一行?
I have a file with semi colon ; delimited text file. It has been indexed in splunk.
INSERT INTO `account` VALUES ('abc');
INSERT INTO `account` VALUES ('xyz');
INSERT INTO `account` VALUES ('pqr');
INSERT INTO `account` VALUES ('mnp');
When I search for "pqr" it should show only 1 line. It is currently showing the next line "mnp" as well. There is no timestamp in the file and splunk still is grouping the lines by date-time. for e.g. all the lines mentioned above listed as a group under 06/09/2011 19:01:17.000
How do I return only one line while searching from a semi-colon delimited file?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
由于没有时间戳,Splunk 可能难以确定这是单个事件(有 4 行)还是 4 个单独的事件。 Splunk 中的所有数据均带有时间戳。如果传入数据没有时间戳,Splunk 会将到达时间指定为时间戳 - 并且“同时”到达的数据可能会被解释为单个事件。
要告诉 Splunk 您的传入数据应作为“每行一个事件”进行处理,请将以下内容放入 $SPLUNK_HOME/etc/system/local/props.conf 中
(如果您的事件可能是多行并且半色 (;) 分隔事件),使用以下内容代替
如果您有选择,第一个选项会更有效。在这两种情况下,我都包含了 DATEIME_CONFIG 来告诉 Splunk 没有嵌入时间戳;这将加快输入处理速度。
最后,将“yoursourcetype”替换为节中数据的源类型。
Because there is no timestamp, Splunk may be having difficulty determining if this is a single event (with 4 lines) or 4 separate events. All data is timestamped in Splunk. If incoming data does not have a timestamp, Splunk will assign the arrival time as the timestamp - and data arriving "simultaneously" may be interpreted as a single event.
To tell Splunk that your incoming data should be processed as "one event per line," put the following in $SPLUNK_HOME/etc/system/local/props.conf
IF your events could be multiple lines and the semicolor (;) separates events, use the following instead
If you have a choice, the first option is much more efficient. In both cases, I have included the DATEIME_CONFIG to tell Splunk that there is no embedded timestamp; this will speed input processing.
Finally, substitute "yoursourcetype" with the sourcetype of your data in the stanzas.