topic Re: one timestamp multi events in Splunk Search

one timestamp multi events

gotarr — Mon, 16 Aug 2021 09:30:30 GMT

In my search table are some multible events with one timestamp.

I need to split them.

Does somebody has any idea?

Thanks in advance for your help

Re: one timestamp multi events

ITWhisperer — Mon, 16 Aug 2021 13:08:40 GMT

What do you mean by "split them", they are already separate events? Or, do you just want to extract fields from them? Or, do you want to tag them so they have unique ids? (Consider streamstats count as row optionally with by _time).

Re: one timestamp multi events

s2_splunk — Mon, 16 Aug 2021 17:52:09 GMT

In your example, you see empty values for some rows, because the one of the three events with the same timestamp has a different message format than the other two and does not contain the same fields (e.g. baddr).

I think we can help better if you let us know what your expected outcome/report should look like.

Re: one timestamp multi events

m_pham — Mon, 16 Aug 2021 20:09:05 GMT

Hi - you have multiple events with the same timestamp because Splunk line break the events to every new line from the log you are ingesting (syslog). They all have the same timestamp because Splunk extracted those timestamps from the timestamp within the log itself - in your example: %Y-%m-%dT%H:%M:%S.%QZ

Can you post the Splunk search you are using in the screenshot for the results you posted? Also can you clarify more on what you are trying to achieve?

On another note - you have to make sure you have these configurations at index time when you want the event to have the correct timestamp:

props.conf

[custom:sourcetype]

TIME_PREFIX =
MAX_TIMESTAMP_LOOKAHEAD =
TIME_FORMAT =

If the time zone in your log is different than what is on the server parsing the logs (HF/IDX), then set this to match the timezone in the log (which appears to be in UTC it looks like in your case).

TZ = UTC

I'd try to set a unique sourcetype for the syslog data you are ingesting as to not override any of the default "syslog" sourcetype configs.

Overall - it's best practice to have these configurations for any logs to prevent Splunk from guessing the line breaking and timestamp.

TIME_PREFIX =
MAX_TIMESTAMP_LOOKAHEAD =
TIME_FORMAT =
SHOULD_LINEMERGE = false
LINE_BREAKER =

# Default is 10,000 but you can set higher if your log exceeds this
TRUNCATE = 10000

Re: one timestamp multi events

gotarr — Tue, 17 Aug 2021 06:02:34 GMT

Tanks for all your replys.

@ITWhisperer well thats right but i cant see the single logs in my table because of the same time stamp.

@s2_splunk my table should seperate all single logs for my dashboard. Maybe it helps if i say i need to improve the timestamps f.e. toady:05:45:03.624 --> 05:45:03.624xxxx you know what i mean?

@m_pham i will try it give me a moment 🙂

My goal is it to display the search on my dashboard for my firewall guys. they want a global view of the genugate (btw the 2 firewalls log with one IP because there is only one page for the config)
This "global table" is for alarming and counting events.

The next step is to split both logs for seperate detail searches (each firewall with there own table).

I hope you understand my plan, sorry for my simple broken english 🙂

Re: one timestamp multi events

gotarr — Tue, 17 Aug 2021 06:05:10 GMT

ah maybe its important to say

my setupup is a Index Cluster (3 indexer)

Re: one timestamp multi events

gotarr — Thu, 19 Aug 2021 09:40:53 GMT

Sorry

dont work this way for me.

there are these empty table slots with two or more entries behind (same time stamp)

maybe u got any other ideas?