https://community.splunk.com/t5/Getting-Data-In/Handling-Data-with-multiple-formats/m-p/64876#M96916 <P>Has anyone worked with parsing multiple formats within a log</P> <P>Example we logs like driver.log for our Datasynapse Grid processing<BR /> and at least 5 different distinct formats </P> <P>mutil-line format</P> <P>[LOG|DEBUG|2011 August 23, 08:25:27 (622)|MEMORY_DEBUG|ResponseCallbacks-1: DriverJobSpace$1|162.103.129.63 (wppsa01a0038.wellsfargo.com)]<BR /> In FuBaseWebProcJob::processTaskOuput(0) - heap size(50,577,408) free(8,822,904) % free(17.444357765427597)<BR /> [END]</P> <P>2nd mutli-line<BR /> Bond has been loaded from Calypso<BR /> putting bond into cache cusip 3133XYJ97<BR /> SourceHit=22.0 CacheHit=5.0 HitRate=18.519<BR /> **** out of sync block<BR /> *********BondSettleDays =1 tradeSd=08/24/2011<BR /> ::grName::gridlib_smiley2_prod_ro<BR /> Resetting DATASYNAPSE_RETRIES to 0<BR /> [2011-08-23 08:25:25.805] CARE Domain: MSRBTaskTimeoutMin=null<BR /> [2011-08-23 08:25:25.805] Executing grid job...</P> <P>And at least 3 single line formats</P> <P>08/23/11 08:25:27.627 INFO: [ServiceEvent] CompletedTask:TradeAnalyticsJob:3133XYJ97-8293306600710979712-0:Total:1</P> <P>CARESERVICE END:CE0C1AE5-E762-4474-9541-E8724CFD8C86|45|S|3133XYJ97: TIME::8/23/11 11:59:00.674 PM EDT</P> <P>CalypsoServiceGrid Response has been posted. 27.0#27.0</P> Mon, 28 Sep 2020 09:50:15 GMT jhallman 2020-09-28T09:50:15Z https://community.splunk.com/t5/Getting-Data-In/Handling-Data-with-multiple-formats/m-p/64876#M96916 <P>Has anyone worked with parsing multiple formats within a log</P> <P>Example we logs like driver.log for our Datasynapse Grid processing<BR /> and at least 5 different distinct formats </P> <P>mutil-line format</P> <P>[LOG|DEBUG|2011 August 23, 08:25:27 (622)|MEMORY_DEBUG|ResponseCallbacks-1: DriverJobSpace$1|162.103.129.63 (wppsa01a0038.wellsfargo.com)]<BR /> In FuBaseWebProcJob::processTaskOuput(0) - heap size(50,577,408) free(8,822,904) % free(17.444357765427597)<BR /> [END]</P> <P>2nd mutli-line<BR /> Bond has been loaded from Calypso<BR /> putting bond into cache cusip 3133XYJ97<BR /> SourceHit=22.0 CacheHit=5.0 HitRate=18.519<BR /> **** out of sync block<BR /> *********BondSettleDays =1 tradeSd=08/24/2011<BR /> ::grName::gridlib_smiley2_prod_ro<BR /> Resetting DATASYNAPSE_RETRIES to 0<BR /> [2011-08-23 08:25:25.805] CARE Domain: MSRBTaskTimeoutMin=null<BR /> [2011-08-23 08:25:25.805] Executing grid job...</P> <P>And at least 3 single line formats</P> <P>08/23/11 08:25:27.627 INFO: [ServiceEvent] CompletedTask:TradeAnalyticsJob:3133XYJ97-8293306600710979712-0:Total:1</P> <P>CARESERVICE END:CE0C1AE5-E762-4474-9541-E8724CFD8C86|45|S|3133XYJ97: TIME::8/23/11 11:59:00.674 PM EDT</P> <P>CalypsoServiceGrid Response has been posted. 27.0#27.0</P> Mon, 28 Sep 2020 09:50:15 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-Data-with-multiple-formats/m-p/64876#M96916 jhallman 2020-09-28T09:50:15Z https://community.splunk.com/t5/Getting-Data-In/Handling-Data-with-multiple-formats/m-p/64877#M96917 <P>I assume the problem is that these variants are all inside of a single file. This blog does a good job of explaining how to handle that:</P> <P><A href="http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem">http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem</A></P> Fri, 05 Jun 2015 03:47:04 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-Data-with-multiple-formats/m-p/64877#M96917 woodcock 2015-06-05T03:47:04Z