topic Re: Break a multiple events into a single event based on timestamp in Getting Data In

Break a multiple events into a single event based on timestamp

RAVISHANKAR — Wed, 01 Apr 2026 16:38:05 GMT

How to Break a multiple events into a single event based on timestamp?

My logs doesn't have a date and it only has timestamp - For Ex - it starts as below format..

17:22:29.875

Splunk version - 9.2.1

i have tried many options in props.conf but no luck still i could see multiple events in my search and i couldn't see events are breaked as per each timestamp.

will LINE_BREAKER works or BREAK_ONLY_BEFORE - tried both but no luck.. is it possible to break events with timestamp in splunk or it's possible to break events only with date and time ??

Thanks in Advance.

Re: Break a multiple events into a single event based on timestamp

richgalloway — Fri, 29 Nov 2024 17:55:29 GMT

It is possible to break events on *anything*. It would help to see a sanitized example of the events you wish to break, but these settings should help.

SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\d\d:\d\d

Re: Break a multiple events into a single event based on timestamp

PickleRick — Fri, 29 Nov 2024 19:36:54 GMT

To be fully honest - I have no idea what you want to do. Please post a sample of your incoming data and tell us where you want it broken into separate events.

Re: Break a multiple events into a single event based on timestamp

marnall — Sun, 01 Dec 2024 05:33:04 GMT

Ultimately Splunk needs a date to know where to file your event. If the date is missing from the logs, then you need to supply or assume it from somewhere else.

E.g. if Splunk sees the time "17:22:29.875", then do you want Splunk to assume that the date is the day of indexing? So if yesterday, then the full timestamp would be 2024-30-11 17:22:29.875

Re: Break a multiple events into a single event based on timestamp

RAVISHANKAR — Tue, 03 Dec 2024 16:58:19 GMT

@richgalloway

It works ...

but however only if i pass source it taking this rule effective if i pass sourcetype this rule not effective in props.conf.

Thank you..

Re: Break a multiple events into a single event based on timestamp

richgalloway — Tue, 03 Dec 2024 18:03:37 GMT

I'm not sure what that statement means.

props apply only to the sourcetype, source, or host listed in the stanza name. It may be necessary to replicate a stanza to cover all scenarios.