https://community.splunk.com/t5/Getting-Data-In/how-to-extract-time-from-multi-line-log/m-p/214302#M42140 <P>Dears,</P> <P>i have log that repeated every 10 min as below <BR /> 16-02-08 Name Succ drop </P> <P>04:26:50 Searches 12 0 <BR /> 04:27:00 Searches 17 0 <BR /> 04:27:10 Searches 12 0 </P> <P>firts line contain Date of the Day and each line contain different Timestamp <BR /> i need to know how to extract each line with exact time <BR /> i know that i can break events using Break_line option and also break multiple events using multikv <BR /> but i couldn't extract Correct time for every event So please advise </P> Sun, 21 Feb 2016 14:18:01 GMT ahmedhassanean 2016-02-21T14:18:01Z https://community.splunk.com/t5/Getting-Data-In/how-to-extract-time-from-multi-line-log/m-p/214302#M42140 <P>Dears,</P> <P>i have log that repeated every 10 min as below <BR /> 16-02-08 Name Succ drop </P> <P>04:26:50 Searches 12 0 <BR /> 04:27:00 Searches 17 0 <BR /> 04:27:10 Searches 12 0 </P> <P>firts line contain Date of the Day and each line contain different Timestamp <BR /> i need to know how to extract each line with exact time <BR /> i know that i can break events using Break_line option and also break multiple events using multikv <BR /> but i couldn't extract Correct time for every event So please advise </P> Sun, 21 Feb 2016 14:18:01 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-extract-time-from-multi-line-log/m-p/214302#M42140 ahmedhassanean 2016-02-21T14:18:01Z https://community.splunk.com/t5/Getting-Data-In/how-to-extract-time-from-multi-line-log/m-p/214303#M42141 <P>Not sure I understand. Can you describe your desired outcome?<BR /> Do you want these to be one event? Do you want each line to be one event, with all the lines that don't have a date in it using... which date?<BR /> Do you have the opportunity to change the application generating these logs?</P> Sun, 21 Feb 2016 20:56:04 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-extract-time-from-multi-line-log/m-p/214303#M42141 s2_splunk 2016-02-21T20:56:04Z https://community.splunk.com/t5/Getting-Data-In/how-to-extract-time-from-multi-line-log/m-p/214304#M42142 <P>i would like to have each line as new event but with correct time and column name as below ( note : date is come in first line only in our case (16-02-08 ) and for each line there is different date and all this table is repeated every 2 min in log with header ) </P> <P>16-02-08 04:26:50 Searches 12 0<BR /> 16-02-08 04:27:00 Searches 17 0<BR /> 16-02-08 04:27:10 Searches 12 0 </P> Sun, 21 Feb 2016 21:18:21 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-extract-time-from-multi-line-log/m-p/214304#M42142 ahmedhassanean 2016-02-21T21:18:21Z https://community.splunk.com/t5/Getting-Data-In/how-to-extract-time-from-multi-line-log/m-p/214305#M42143 <P>That's super ugly. If the event really looks like that, and there's nothing you can do about it, then you could do something like this:</P> <PRE><CODE>|stats count | eval _raw="16-02-08 Name Succ drop\n04:26:50 Searches 12 0\n04:27:00 Searches 17 0\n04:27:10 Searches 12 0" | rex "^(?&lt;date&gt;\d+-\d+-\d+) " | eval line=split(_raw,"\n") | mvexpand line | rex field=line "^(?&lt;time&gt;\d+:\d+:\d+) " | eval _time=strptime(date + " " + time, "%d-%m-%y %H:%M:%S") </CODE></PRE> <P>It isn't going to be fast, though. You'd be far better off figuring out how to parse the logs line by line, if at all possible.</P> Sun, 13 Mar 2016 07:45:55 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-extract-time-from-multi-line-log/m-p/214305#M42143 vbumgarner 2016-03-13T07:45:55Z