https://community.splunk.com/t5/Getting-Data-In/How-to-line-break-events-based-on-timestamp-to-include-multiple/m-p/133080#M27345 <P>Doing it at searchtime is too slow for what I am trying to achieve. When we do transaction _time, the query takes 2/3 minutes to run. I really need to index them together as an event based on timestamp(though really, I need to group this data into one event: </P> <P>9/17/14 6:00:06.274 PM<BR /><BR /> 09-17-2014 18:00:06.274 DATA MESSAGE RCVD HOSTNAME-1 DATA:HLCSPOSITIONINFO;;S123412|STUFF THING|1234.111|112211|UPDATE|54321<BR /> 9/17/14 6:00:06.274 PM<BR /><BR /> 09-17-2014 18:00:06.274 HOSTNAME-1:RCVD DATA = HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321<BR /> 9/17/14 6:00:06.274 PM<BR /><BR /> 09-17-2014 18:00:06.274 DATAGRAM FORWARDED TO CLIENT: &lt;123412&gt; [HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321<BR /> 9/17/14 6:00:06.274 PM<BR /><BR /> 09-17-2014 18:00:06.274 MOBILE CLIENT ASSIGNMENT FOUND:S123412</P> <P>This is coming accross as 4 separate events, and I need it to be one event. We can easily get this done at search time, but our need is to have it done at index time. It does -not- have to be by the timestamp, but it seemed like low hanging fruit at the time, but is still eluding us. </P> Tue, 23 Sep 2014 13:28:35 GMT corydm 2014-09-23T13:28:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-line-break-events-based-on-timestamp-to-include-multiple/m-p/133078#M27343 <PRE><CODE>09-17-2014 18:00:01.024 DATA MESSAGE RCVD FROM:W228707 DATA:POLL\x04 09-17-2014 18:00:01.024 DATA MESSAGE RCVD FROM:NOCTMDS-A20 DATA:POLL 09-17-2014 18:00:01.024 DATA MESSAGE RCVD FROM:W203911 DATA:POLL\x04 09-17-2014 18:00:01.055 DATA MESSAGE RCVD FROM:W231427 DATA:POLL\x04 09-17-2014 18:00:01.071 DATA MESSAGE RCVD FROM:W211499 DATA:POLL\x04 09-17-2014 18:00:01.087 DATA MESSAGE RCVD FROM:W231259 DATA:POLL\x04 </CODE></PRE> <P>This is the log file I am indexing. and I would like to make it so that when I index it, the timestamp is what determines when a new event occurs. In the data above, the first 3 lines is one event, and the last 3 lines are all indepedent events. I for the life of me, haven't been very successful with this... I've tried a couple of different methods using the Data previewer and setting my line breaks, but I cannot get it to do it correctly. I know this is a very simple thing, so I was wondering if someone could rattle off the solution, and be my easy button. </P> <P>Thanks</P> Fri, 19 Sep 2014 17:54:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-line-break-events-based-on-timestamp-to-include-multiple/m-p/133078#M27343 corydm 2014-09-19T17:54:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-line-break-events-based-on-timestamp-to-include-multiple/m-p/133079#M27344 <P>Do you need them to be included as the same event at index time? You could always club them as a single event at search time using the transaction command like so:<BR /> <YOUR sourcetype=""> | transaction _time</YOUR></P> Fri, 19 Sep 2014 18:09:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-line-break-events-based-on-timestamp-to-include-multiple/m-p/133079#M27344 sk314 2014-09-19T18:09:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-line-break-events-based-on-timestamp-to-include-multiple/m-p/133080#M27345 <P>Doing it at searchtime is too slow for what I am trying to achieve. When we do transaction _time, the query takes 2/3 minutes to run. I really need to index them together as an event based on timestamp(though really, I need to group this data into one event: </P> <P>9/17/14 6:00:06.274 PM<BR /><BR /> 09-17-2014 18:00:06.274 DATA MESSAGE RCVD HOSTNAME-1 DATA:HLCSPOSITIONINFO;;S123412|STUFF THING|1234.111|112211|UPDATE|54321<BR /> 9/17/14 6:00:06.274 PM<BR /><BR /> 09-17-2014 18:00:06.274 HOSTNAME-1:RCVD DATA = HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321<BR /> 9/17/14 6:00:06.274 PM<BR /><BR /> 09-17-2014 18:00:06.274 DATAGRAM FORWARDED TO CLIENT: &lt;123412&gt; [HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321<BR /> 9/17/14 6:00:06.274 PM<BR /><BR /> 09-17-2014 18:00:06.274 MOBILE CLIENT ASSIGNMENT FOUND:S123412</P> <P>This is coming accross as 4 separate events, and I need it to be one event. We can easily get this done at search time, but our need is to have it done at index time. It does -not- have to be by the timestamp, but it seemed like low hanging fruit at the time, but is still eluding us. </P> Tue, 23 Sep 2014 13:28:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-line-break-events-based-on-timestamp-to-include-multiple/m-p/133080#M27345 corydm 2014-09-23T13:28:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-line-break-events-based-on-timestamp-to-include-multiple/m-p/133081#M27346 <P>try using stats list(_raw) by _time. Would be faster. Hope it helps.</P> Fri, 26 Sep 2014 03:26:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-line-break-events-based-on-timestamp-to-include-multiple/m-p/133081#M27346 sk314 2014-09-26T03:26:30Z