https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349114#M64100 <P>Thanks for the reply. Looks better now. Timestamps being properly recognised. But it's not breaking events like I want it. It's doing one event per line, but I want all lines with exact same timestamp to be one event. I'm playing in the Add Data interface and can't figure it out. Here's the props.conf settings I have.</P> <P>I tried BREAK_ONLY_BEFORE=^[ like you suggested but it was still not doing what I want it to do.</P> <PRE><CODE>[ &lt;SOURCETYPE NAME&gt; ] SHOULD_LINEMERGE=true NO_BINARY_CHECK=true CHARSET=UTF-8 MAX_TIMESTAMP_LOOKAHEAD=60 disabled=false TIME_FORMAT=%m/%d/%y %H:%M:%S:%3N %Z TIME_PREFIX=\[ </CODE></PRE> <P>Data example: I would like line 45, 46 and 47 to be 1 event. They all have the same timestamp. Line 48 would be the start of a new event.</P> <PRE><CODE>45 3/14/18 12:12:41.610 AM [3/14/18 0:12:41:610 EDT] 00000039 SystemErr R at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775) 46 3/14/18 12:12:41.610 AM [3/14/18 0:12:41:610 EDT] 00000039 SystemErr R at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905) 47 3/14/18 12:12:41.610 AM [3/14/18 0:12:41:610 EDT] 00000039 SystemErr R at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1662) 48 3/14/18 1:00:02.465 AM [3/14/18 1:00:02:465 EDT] 0000006b SystemErr R com.ibm.wcc.service.intf.ProcessingException </CODE></PRE> Tue, 29 Sep 2020 18:27:19 GMT patouellet 2020-09-29T18:27:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349110#M64096 <P>Hello,</P> <P>Having a hard time parsing a file the way I need it too. Got a file with events spilling over multiple lines. There is no disnernable event breaking regex I could use to break out events. What seems to make more sense is to recognize multiple lines as a single event based on timestamp. That's what I want to do. I read that I should use the TIME_FORMAT and some other thing to tell Splunk to do that at Index time. But I'm stuck - for some reason I'm getting parsing errors.</P> <PRE><CODE>Given this sample log line: [3/14/18 4:00:08:816 EDT] 00000033 SystemErr R at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:278) Using this TIME_FORMAT value: %m/%d/%y %H:%M:%S:%3N %Z </CODE></PRE> <P>Why am I getting "Could not use strptime to parse timestamp from "[3/14/18 4:00:08:816 EDT]" </P> <P>Thank you.</P> Wed, 14 Mar 2018 15:26:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349110#M64096 patouellet 2018-03-14T15:26:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349111#M64097 <P>You should read those manual first :<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Configureeventlinebreaking">http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Configureeventlinebreaking</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Configuretimestamprecognition</A></P> <P>then you can upload a sample to your search-head and use the wizard to create and test a sourcetype.<BR /> then when working, export the sourcetype props.conf config and deploy it to your parsing layer (indexers, and heavy forwarders)</P> <P>I suspect that the sourcetype will look like :</P> <PRE><CODE>[custom_sourcetype] SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE=^\[ TIME_FORMAT=%m/%d/%y %H:%M:%S:%3N %Z TIME_PREFIX=\[ MAX_TIMESTAMP_LOOKAHEAD=60 </CODE></PRE> Wed, 14 Mar 2018 17:47:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349111#M64097 yannK 2018-03-14T17:47:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349112#M64098 <P>@yannK [Splunk], there is an extra percent after <CODE>%m</CODE> it should be <CODE>TIME_FORMAT=%m/%d/%y %H:%M:%S:%3N %Z</CODE></P> Wed, 14 Mar 2018 18:12:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349112#M64098 niketn 2018-03-14T18:12:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349113#M64099 <P>oh yes, it's a typo, let me edit it</P> Wed, 14 Mar 2018 18:18:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349113#M64099 yannK 2018-03-14T18:18:38Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349114#M64100 <P>Thanks for the reply. Looks better now. Timestamps being properly recognised. But it's not breaking events like I want it. It's doing one event per line, but I want all lines with exact same timestamp to be one event. I'm playing in the Add Data interface and can't figure it out. Here's the props.conf settings I have.</P> <P>I tried BREAK_ONLY_BEFORE=^[ like you suggested but it was still not doing what I want it to do.</P> <PRE><CODE>[ &lt;SOURCETYPE NAME&gt; ] SHOULD_LINEMERGE=true NO_BINARY_CHECK=true CHARSET=UTF-8 MAX_TIMESTAMP_LOOKAHEAD=60 disabled=false TIME_FORMAT=%m/%d/%y %H:%M:%S:%3N %Z TIME_PREFIX=\[ </CODE></PRE> <P>Data example: I would like line 45, 46 and 47 to be 1 event. They all have the same timestamp. Line 48 would be the start of a new event.</P> <PRE><CODE>45 3/14/18 12:12:41.610 AM [3/14/18 0:12:41:610 EDT] 00000039 SystemErr R at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775) 46 3/14/18 12:12:41.610 AM [3/14/18 0:12:41:610 EDT] 00000039 SystemErr R at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905) 47 3/14/18 12:12:41.610 AM [3/14/18 0:12:41:610 EDT] 00000039 SystemErr R at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1662) 48 3/14/18 1:00:02.465 AM [3/14/18 1:00:02:465 EDT] 0000006b SystemErr R com.ibm.wcc.service.intf.ProcessingException </CODE></PRE> Tue, 29 Sep 2020 18:27:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349114#M64100 patouellet 2020-09-29T18:27:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349115#M64101 <P>Hi @patouellet </P> <P>Did you get your issue resolved as i am also facing the same issue of all events being indexed at he same time i.e. the file creation time of the log file which has the data and not the event time. </P> <P>Let me know if its working for you. </P> <P>Thanks</P> Fri, 13 Sep 2019 09:12:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349115#M64101 surekhasplunk 2019-09-13T09:12:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349116#M64102 <P>Hi, I see that was one year ago. I honestly don't remember. But I was able to find the settings I'm currently using. Here they are. Hopefully it helps you out.</P> <PRE><CODE>[your_sourcetype] DATETIME_CONFIG = MAX_TIMESTAMP_LOOKAHEAD = 60 NO_BINARY_CHECK = true TIME_FORMAT = %m/%d/%y %H:%M:%S:%3N %Z TIME_PREFIX = \[ category = Application disabled = false pulldown_type = true </CODE></PRE> Fri, 13 Sep 2019 12:14:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-events-based-on-timestamp-at-index-time/m-p/349116#M64102 patouellet 2019-09-13T12:14:01Z