https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/569123#M100950 <P>So the event could contain "NOT_AVAILABLE" or it could contain <STRONG>anything else</STRONG>, right?&nbsp; That's makes it nearly impossible to define a rule for separating events.&nbsp; I'm not sure I can help here.</P> Thu, 30 Sep 2021 12:17:29 GMT richgalloway 2021-09-30T12:17:29Z https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/568944#M100936 <P>Hello All,</P><P>Can any one help me on this event injection in Splunk.</P><P>&nbsp;</P><P>sample data</P><P>122.0.0.2 NOT_AVAILABLE abc Agent= 2021-09-27 11:15:39 5648 WARN xyz<BR />NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE 2021-09-27 11:16:08 5432 DEBUG Field: xyz<BR />- value: ID<BR />- unformatted value: vvcsa<BR />- formatted value: abcsc<BR />- returnType:<BR />- boost: 1<BR />- append: False</P><P>&nbsp;</P><P>Here it have to be two events with respective date time.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 29 Sep 2021 14:47:52 GMT https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/568944#M100936 snehal8 2021-09-29T14:47:52Z https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/568965#M100937 <P>Please show where the event should be broken.</P> Wed, 29 Sep 2021 15:40:23 GMT https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/568965#M100937 richgalloway 2021-09-29T15:40:23Z https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/568980#M100938 <P>Thank you for the reply.</P><P>&nbsp;</P><P>The event should be broken by follows</P><P><U><STRONG>1st Event&nbsp;</STRONG></U></P><P><SPAN>122.0.0.2 NOT_AVAILABLE abc Agent= 2021-09-27 11:15:39 5648 WARN xyz</SPAN></P><P>&nbsp;</P><P><U><STRONG>2nd Event</STRONG></U></P><P><SPAN>NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE 2021-09-27 11:16:08 5432 DEBUG Field: xyz<BR />- value: ID<BR />- unformatted value: vvcsa<BR />- formatted value: abcsc<BR />- returnType:<BR />- boost: 1<BR />- append: False</SPAN></P><P>&nbsp;</P> Wed, 29 Sep 2021 16:47:54 GMT https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/568980#M100938 snehal8 2021-09-29T16:47:54Z https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/569006#M100941 <P>I presume "NOT_AVAILABLE" represents sensitive data that can't be shared in a public forum.&nbsp; Regrettably, this method of sanitization makes it rather difficult to create a regex that Splunk can use to split events.&nbsp; Can you sanitize the data another way?</P> Wed, 29 Sep 2021 19:04:51 GMT https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/569006#M100941 richgalloway 2021-09-29T19:04:51Z https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/569083#M100948 <P>whenever there is no data in logs its represent as&nbsp;<SPAN>"NOT_AVAILABLE" entry.&nbsp;</SPAN></P><P><SPAN>Please do consider this in regex as well.&nbsp;</SPAN></P><P>&nbsp;</P> Thu, 30 Sep 2021 08:59:07 GMT https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/569083#M100948 snehal8 2021-09-30T08:59:07Z https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/569123#M100950 <P>So the event could contain "NOT_AVAILABLE" or it could contain <STRONG>anything else</STRONG>, right?&nbsp; That's makes it nearly impossible to define a rule for separating events.&nbsp; I'm not sure I can help here.</P> Thu, 30 Sep 2021 12:17:29 GMT https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/569123#M100950 richgalloway 2021-09-30T12:17:29Z https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/569157#M100952 <P>Its can contain the IP address or if its empty then it contain "<SPAN>NOT_AVAILABLE</SPAN>".</P><P>Please do let me know if it help.</P> Thu, 30 Sep 2021 14:20:48 GMT https://community.splunk.com/t5/Getting-Data-In/time-need-to-be-pick-from-log-middle-entry/m-p/569157#M100952 snehal8 2021-09-30T14:20:48Z