https://community.splunk.com/t5/Getting-Data-In/Timestamp-Problem/m-p/31276#M5491 <P>Hm, I haven't tried it, so I'm not too sure that multiline TIME_FORMAT specifications work, but you could always try;</P> <PRE><CODE>TIME_PREFIX = time_hour = TIME_FORMAT = %H%ntime_minute = %M%ntime_second = %S </CODE></PRE> <P>where the <CODE>%n</CODE> is the newline character. If there are multiple newlines (as in your example above) you'd need to put in <CODE>%n%n</CODE> etc.</P> <P>Hope this works,</P> <P>K</P> Mon, 13 Aug 2012 15:18:59 GMT kristian_kolb 2012-08-13T15:18:59Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-Problem/m-p/31275#M5490 <P>Dears,<BR /> I have a multi line log as following sample, the hours,minutes, and seconds in different line,<BR /> how could I define the timestamp?</P> <P>Thanks a lot. </P> <P>======EVENT======<BR /> header:<BR /><BR /> event_id = activate<BR /><BR /> event_result = success<BR /><BR /> time_hour = 12<BR /><BR /> time_minute = 6<BR /><BR /> time_second = 19<BR /> activation_type = gprs_primary<BR /> rat = wcdma<BR /> cause_prot_type = ril3</P> Mon, 28 Sep 2020 12:14:30 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-Problem/m-p/31275#M5490 fetjerry 2020-09-28T12:14:30Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-Problem/m-p/31276#M5491 <P>Hm, I haven't tried it, so I'm not too sure that multiline TIME_FORMAT specifications work, but you could always try;</P> <PRE><CODE>TIME_PREFIX = time_hour = TIME_FORMAT = %H%ntime_minute = %M%ntime_second = %S </CODE></PRE> <P>where the <CODE>%n</CODE> is the newline character. If there are multiple newlines (as in your example above) you'd need to put in <CODE>%n%n</CODE> etc.</P> <P>Hope this works,</P> <P>K</P> Mon, 13 Aug 2012 15:18:59 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-Problem/m-p/31276#M5491 kristian_kolb 2012-08-13T15:18:59Z