Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Break a multiple events into a single event based on timestamp

RAVISHANKAR
Explorer
‎11-29-2024 09:27 AM

How to Break a multiple events into a single event based on timestamp?

My logs doesn't have a date and it only has timestamp - For Ex - it starts as below format..

17:22:29.875

Splunk version - 9.2.1

i have tried many options in props.conf but no luck still i could see multiple events in my search and i couldn't see events are breaked as per each timestamp.

will LINE_BREAKER works or BREAK_ONLY_BEFORE - tried both but no luck.. is it possible to break events with timestamp in splunk or it's possible to break events only with date and time ??

Thanks in Advance.

Labels (1)
Labels
0 Karma
Reply

marnall
Motivator
‎11-30-2024 09:33 PM

Ultimately Splunk needs a date to know where to file your event. If the date is missing from the logs, then you need to supply or assume it from somewhere else.

E.g. if Splunk sees the time "17:22:29.875", then do you want Splunk to assume that the date is the day of indexing? So if yesterday, then the full timestamp would be 2024-30-11 17:22:29.875

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2024 11:36 AM

To be fully honest - I have no idea what you want to do. Please post a sample of your incoming data and tell us where you want it broken into separate events.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2024 09:55 AM

It is possible to break events on *anything*.  It would help to see a sanitized example of the events you wish to break, but these settings should help.

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\d\d:\d\d
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

RAVISHANKAR
Explorer
‎12-03-2024 08:58 AM

@richgalloway  

It works ...

but however only if i pass source it taking this rule effective if i pass sourcetype this rule not effective in props.conf.

Thank you..

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2024 10:03 AM

I'm not sure what that statement means. 

props apply only to the sourcetype, source, or host listed in the stanza name.  It may be necessary to replicate a stanza to cover all scenarios.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...