Getting Data In

Breaking of events on the basis of date

swetar
New Member

Can any one suggest me ,how can i break the events in the below format. I want to break it on the basis of date format
I tried using (BREAK_ONLY_BEFORE_DATE = yes). This breaks the event from last_updated date,which I don't want
logfile#
2018/04/13 10:27:53
category=Cars
Company=xyz
balancesheet=pqz
last_updated_date=2018/04/12 09:27:53
Country=America
2018/04/12 10:27:53
category=bikes
Company=xyzx
balancesheet=pqz
Country=America
2018/04/13 10:27:53
category=Cycles
Company=xyz
balancesheet=pqz
last_updated_date=2018/04/09 19:27:53
Country=UK

Desired output

2018/04/13 10:27:53
category=Cars
Company=xyz
balancesheet=pqz
last_updated_date=2018/04/12 09:27:53
Country=America

2018/04/12 10:27:53
category=bikes
Company=xyzx
balancesheet=pqz
Country=America

2018/04/13 10:27:53
category=Cycles
Company=xyz
balancesheet=pqz
last_updated_date=2018/04/09 19:27:53
Country=UK

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try these props.conf settings.

[mysourcetype]
SHOULD_LINEMERGE = true
TIME_PREFIX = ^
TIME_FORMAT = %Y/%m/%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
BREAK_ONLY_BEFORE_DATE = true
TRUNCATE = 10000
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...