<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Multiple log format with customtime.xml not working in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Multiple-log-format-with-customtime-xml-not-working/m-p/311599#M58498</link>
    <description>&lt;P&gt;Your configurations look fine to me so...&lt;/P&gt;

&lt;P&gt;1: It might not be in the right place: it needs to be located on the first full instance of splunk that handles the events.  This could be a heavy forwarder, intermediate forwarder, or Indexer.&lt;/P&gt;

&lt;P&gt;2: They might not be loaded: after you put the configurations where they need to be, you need to make sure that it is owned by the same user that is running the splunk process, with the correct file permissions, and you need to restart all splunk processes there.&lt;/P&gt;

&lt;P&gt;3: You might not be evaluating (testing) it properly: make sure that you run your search with &lt;CODE&gt;All time&lt;/CODE&gt; on the TimePicker and add &lt;CODE&gt;_index_earliest=-5m&lt;/CODE&gt; to show only events that have been indexed in the last 5 minutes.&lt;/P&gt;</description>
    <pubDate>Sat, 12 Jan 2019 16:18:05 GMT</pubDate>
    <dc:creator>woodcock</dc:creator>
    <dc:date>2019-01-12T16:18:05Z</dc:date>
    <item>
      <title>Multiple log format with customtime.xml not working</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiple-log-format-with-customtime-xml-not-working/m-p/311597#M58496</link>
      <description>&lt;P&gt;I tried to do something like:&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://www.splunk.com/blog/2014/04/23/its-that-time-again.html" target="_blank"&gt;https://www.splunk.com/blog/2014/04/23/its-that-time-again.html&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem" target="_blank"&gt;https://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;Because I can't get a logfile to be changed.&lt;BR /&gt;
To do that I created a props.conf with a DATETIME_CONFIG parameter which points to a created: multitime.xml (I also changed the DATETIME_CONFIG to a non-existing file, just to check if I could find this back in my _internal - which I did).&lt;/P&gt;

&lt;P&gt;The log data looks like shown below and I want it to be 6 events - 5 one-line events and a multiline event.&lt;BR /&gt;
The 4th and 5th event are merged into 1 event in stead of broken up into two events, anyone here who sees what I did wrong? (the example on the splunk blog works &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt; )&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;2018/01/18 13:14:21.3:switchx:T[XXXXXXXX]:AAAA.BB.CCCC:[DB3, (ACTIVE, 2018-01-09 12:27:38.185)]: partitioned-tables=20
2018/01/18 13:14:21.3:switchx:T[XXXXXXXX]:AAAA.BB.CCCC:[DB3, (ACTIVE, 2018-01-09 12:27:38.185)] prepared=true
2018/01/18 13:14:21.3:switchx:T[XXXXXXXX]:AAAA.BB.CCCC:[DB4, (ACTIVE, 2018-01-11 16:56:59.124)]: partitioned-tables=20
2018/01/18 13:14:21.3:switchx:T[XXXXXXXX]:AAAA.BB.CCCC:[DB4, (ACTIVE, 2018-01-11 16:56:59.124)] prepared=true
13:14:22 TPS=0 Act=0[0] Com=12345[67890] Ver=1.2.3-45-AB-678.901 Dln=2 Dnr=123 AA- Mem=7921/2999/329/0 CPU=1
Pool=0/s hit=0%  Script=0/xxxxx  Group out=12[34] in=123[67] FDR=off WIN dhr=12345 msg=246 lat=0 CP d=0.0k s=0.0k
AW - none
WA - none
DB[bytes/batch/size/transit/w+p+e+c=dur] -  DB1[0/0/0/0/0+0+0+0=0]
DB1: ACTIVE 18-01-11 15:51:22 switchy  AB=[131/130/77/0]  DW=[4267/18]  RW=[0/6]  L/W=6/2
DB2: ACTIVE 18-01-11 15:53:03 switchx  AB=[60/60/26/0]  DW=[3320/0]  RW=[0/0]  L/W=0/0
DB3: ACTIVE 18-01-09 12:27:38 switchz  AB=[60/60/26/0]  DW=[3320/0]  RW=[0/0]  L/W=0/0
DB4: ACTIVE 18-01-11 16:56:59 switchr  AB=[60/60/26/0]  DW=[3320/0]  RW=[0/0]  L/W=0/0
HSM: none
2018/01/18 13:14:23.3:switchx:T[XXXXXX]:abcd.efghij.management:Hrhrhr events for harouterx: null
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[multi_time]
DATETIME_CONFIG=/etc/apps/multitime/local/multitime.xml
LINE_BREAKER=([\r\n]+)(?:(?:\d{4}\/\d\d\/\d{2}\s\d{2})|(?:\d{2}:\d\d:\d\d\sTPS))
SHOULD_LINEMERGE=true
#BREAK_ONLY_BEFORE_DATE=true
TRUNCATE=5000
MAX_TIMESTAMP_LOOKAHEAD=25
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;multitime.xml&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&amp;lt;datetime&amp;gt;
&amp;lt;!-- 2018/01/18 13:14:21.3 --&amp;gt;
&amp;lt;define name="_datetimeformat1" extract="year, month, day, hour, minute, second, subsecond"&amp;gt;
&amp;lt;text&amp;gt;(\d{4})\/(\d{2})\/(\d{2})\s(\d{2}):(\d{2}):(\d{2}).(\d)&amp;lt;/text&amp;gt;
&amp;lt;/define&amp;gt;

&amp;lt;!-- 13:14:21 --&amp;gt;
&amp;lt;define name="_datetimeformat2" extract="hour, minute, second"&amp;gt;
&amp;lt;text&amp;gt;(\d{2}):(\d{2}):(\d{2})\s&amp;lt;/text&amp;gt;
&amp;lt;/define&amp;gt;

&amp;lt;timePatterns&amp;gt;
&amp;lt;use name="_datetimeformat1"/&amp;gt;
&amp;lt;use name="_datetimeformat2"/&amp;gt;
&amp;lt;/timePatterns&amp;gt;
&amp;lt;datePatterns&amp;gt;
&amp;lt;use name="_datetimeformat1"/&amp;gt;
&amp;lt;use name="_datetimeformat2"/&amp;gt;
&amp;lt;/datePatterns&amp;gt;
&amp;lt;/datetime&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 29 Sep 2020 17:41:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiple-log-format-with-customtime-xml-not-working/m-p/311597#M58496</guid>
      <dc:creator>erikgrasman</dc:creator>
      <dc:date>2020-09-29T17:41:18Z</dc:date>
    </item>
    <item>
      <title>Re: Multiple log format with customtime.xml not working</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiple-log-format-with-customtime-xml-not-working/m-p/311598#M58497</link>
      <description>&lt;P&gt;by the way, in the original log there are no whitespaces in front of eacht line &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 19 Jan 2018 08:41:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiple-log-format-with-customtime-xml-not-working/m-p/311598#M58497</guid>
      <dc:creator>erikgrasman</dc:creator>
      <dc:date>2018-01-19T08:41:15Z</dc:date>
    </item>
    <item>
      <title>Re: Multiple log format with customtime.xml not working</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiple-log-format-with-customtime-xml-not-working/m-p/311599#M58498</link>
      <description>&lt;P&gt;Your configurations look fine to me so...&lt;/P&gt;

&lt;P&gt;1: It might not be in the right place: it needs to be located on the first full instance of splunk that handles the events.  This could be a heavy forwarder, intermediate forwarder, or Indexer.&lt;/P&gt;

&lt;P&gt;2: They might not be loaded: after you put the configurations where they need to be, you need to make sure that it is owned by the same user that is running the splunk process, with the correct file permissions, and you need to restart all splunk processes there.&lt;/P&gt;

&lt;P&gt;3: You might not be evaluating (testing) it properly: make sure that you run your search with &lt;CODE&gt;All time&lt;/CODE&gt; on the TimePicker and add &lt;CODE&gt;_index_earliest=-5m&lt;/CODE&gt; to show only events that have been indexed in the last 5 minutes.&lt;/P&gt;</description>
      <pubDate>Sat, 12 Jan 2019 16:18:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiple-log-format-with-customtime-xml-not-working/m-p/311599#M58498</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2019-01-12T16:18:05Z</dc:date>
    </item>
  </channel>
</rss>

