Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Break a multiple events into a single event based on timestamp

RAVISHANKAR
Loves-to-Learn Lots
‎11-29-2024 09:27 AM

How to Break a multiple events into a single event based on timestamp?

My logs doesn't have a date and it only has timestamp - For Ex - it starts as below format..

17:22:29.875

Splunk version - 9.2.1

i have tried many options in props.conf but no luck still i could see multiple events in my search and i couldn't see events are breaked as per each timestamp.

will LINE_BREAKER works or BREAK_ONLY_BEFORE - tried both but no luck.. is it possible to break events with timestamp in splunk or it's possible to break events only with date and time ??

Thanks in Advance.

Labels (4)
0 Karma
Reply

marnall
Motivator
‎11-30-2024 09:33 PM

Ultimately Splunk needs a date to know where to file your event. If the date is missing from the logs, then you need to supply or assume it from somewhere else.

E.g. if Splunk sees the time "17:22:29.875", then do you want Splunk to assume that the date is the day of indexing? So if yesterday, then the full timestamp would be 2024-30-11 17:22:29.875

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2024 11:36 AM

To be fully honest - I have no idea what you want to do. Please post a sample of your incoming data and tell us where you want it broken into separate events.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2024 09:55 AM

It is possible to break events on *anything*.  It would help to see a sanitized example of the events you wish to break, but these settings should help.

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\d\d:\d\d
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

RAVISHANKAR
Loves-to-Learn Lots
‎12-03-2024 08:58 AM

@richgalloway  

It works ...

but however only if i pass source it taking this rule effective if i pass sourcetype this rule not effective in props.conf.

Thank you..

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2024 10:03 AM

I'm not sure what that statement means. 

props apply only to the sourcetype, source, or host listed in the stanza name.  It may be necessary to replicate a stanza to cover all scenarios.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...
Top