https://community.splunk.com/t5/Getting-Data-In/Breaking-the-logs-with-timestamp/m-p/263394#M50530 <P>Hi </P> <P>How to break following logs with time-stamp. Here the timestamp; "Jul 15 13:54:20"</P> <P>Jul 15 13:58:47 10.21.29.227 msg=Veri Jul 15 13:54:20Cyber-Ark|Vault|9.60.0000|295|Retrieve password|5|act=Retrieve password suser=PasswordManager fname=Root\Operating System-WinDomain-AD dvc= shost=1.2.3.4 dhost=abc.com duser=ADM externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=XYZ cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=CPM msg=CPMJul 15 13:54:21 CEF:0|Cyber-Ark|Vault|9.60.0000|295|Retrieve password|5|act=Retrieve password suser=PasswordManager fname=Root\Operating System-WinDomainAD dvc= shost=1.3.4.4 dhost=abc.com duser=AD externalId= </P> Sun, 17 Jul 2016 20:45:00 GMT kiran331 2016-07-17T20:45:00Z https://community.splunk.com/t5/Getting-Data-In/Breaking-the-logs-with-timestamp/m-p/263394#M50530 <P>Hi </P> <P>How to break following logs with time-stamp. Here the timestamp; "Jul 15 13:54:20"</P> <P>Jul 15 13:58:47 10.21.29.227 msg=Veri Jul 15 13:54:20Cyber-Ark|Vault|9.60.0000|295|Retrieve password|5|act=Retrieve password suser=PasswordManager fname=Root\Operating System-WinDomain-AD dvc= shost=1.2.3.4 dhost=abc.com duser=ADM externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=XYZ cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=CPM msg=CPMJul 15 13:54:21 CEF:0|Cyber-Ark|Vault|9.60.0000|295|Retrieve password|5|act=Retrieve password suser=PasswordManager fname=Root\Operating System-WinDomainAD dvc= shost=1.3.4.4 dhost=abc.com duser=AD externalId= </P> Sun, 17 Jul 2016 20:45:00 GMT https://community.splunk.com/t5/Getting-Data-In/Breaking-the-logs-with-timestamp/m-p/263394#M50530 kiran331 2016-07-17T20:45:00Z https://community.splunk.com/t5/Getting-Data-In/Breaking-the-logs-with-timestamp/m-p/263395#M50531 <P>Can you provide samples on how the events should look after splitting?</P> Mon, 18 Jul 2016 16:17:27 GMT https://community.splunk.com/t5/Getting-Data-In/Breaking-the-logs-with-timestamp/m-p/263395#M50531 somesoni2 2016-07-18T16:17:27Z https://community.splunk.com/t5/Getting-Data-In/Breaking-the-logs-with-timestamp/m-p/263396#M50532 <P>Jul 15 13:54:20Cyber-Ark|Vault|9.60.0000|295|Retrieve password|5|act=Retrieve password suser=PasswordManager fname=Root\Operating System-WinDomain-AD dvc= shost=1.2.3.4 dhost=abc.com duser=ADM externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=XYZ cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=CPM msg=CPM</P> <P>Jul 15 13:54:21 CEF:0|Cyber-Ark|Vault|9.60.0000|295|Retrieve password|5|act=Retrieve password suser=PasswordManager fname=Root\Operating System-WinDomainAD dvc= shost=1.3.4.4 dhost=abc.com duser=AD externalId=</P> Mon, 18 Jul 2016 21:21:42 GMT https://community.splunk.com/t5/Getting-Data-In/Breaking-the-logs-with-timestamp/m-p/263396#M50532 kiran331 2016-07-18T21:21:42Z https://community.splunk.com/t5/Getting-Data-In/Breaking-the-logs-with-timestamp/m-p/263397#M50533 <P>Your LINE_BREAKER parameter could be like this: <CODE>(\w{3})\s(\d{2})\s(\d{2}):(\d{2}):(\d{2})</CODE></P> <P>See more in: <A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Configureeventlinebreaking">http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Configureeventlinebreaking</A></P> Mon, 18 Jul 2016 23:45:27 GMT https://community.splunk.com/t5/Getting-Data-In/Breaking-the-logs-with-timestamp/m-p/263397#M50533 rafamss 2016-07-18T23:45:27Z