Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Breaking the logs with timestamp

kiran331
Builder
‎07-17-2016 01:45 PM

Hi

How to break following logs with time-stamp. Here the timestamp; "Jul 15 13:54:20"

Jul 15 13:58:47 10.21.29.227 msg=Veri Jul 15 13:54:20Cyber-Ark|Vault|9.60.0000|295|Retrieve password|5|act=Retrieve password suser=PasswordManager fname=Root\Operating System-WinDomain-AD dvc= shost=1.2.3.4 dhost=abc.com duser=ADM externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=XYZ cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=CPM msg=CPMJul 15 13:54:21 CEF:0|Cyber-Ark|Vault|9.60.0000|295|Retrieve password|5|act=Retrieve password suser=PasswordManager fname=Root\Operating System-WinDomainAD dvc= shost=1.3.4.4 dhost=abc.com duser=AD externalId=

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rafamss
Contributor
‎07-18-2016 04:45 PM

Your LINE_BREAKER parameter could be like this: (\w{3})\s(\d{2})\s(\d{2}):(\d{2}):(\d{2})

See more in: http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Configureeventlinebreaking

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rafamss
Contributor
‎07-18-2016 04:45 PM

Your LINE_BREAKER parameter could be like this: (\w{3})\s(\d{2})\s(\d{2}):(\d{2}):(\d{2})

See more in: http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Configureeventlinebreaking

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-18-2016 09:17 AM

Can you provide samples on how the events should look after splitting?

0 Karma
Reply
Solved! Jump to solution

kiran331
Builder
‎07-18-2016 02:21 PM

Jul 15 13:54:20Cyber-Ark|Vault|9.60.0000|295|Retrieve password|5|act=Retrieve password suser=PasswordManager fname=Root\Operating System-WinDomain-AD dvc= shost=1.2.3.4 dhost=abc.com duser=ADM externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=XYZ cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=CPM msg=CPM

Jul 15 13:54:21 CEF:0|Cyber-Ark|Vault|9.60.0000|295|Retrieve password|5|act=Retrieve password suser=PasswordManager fname=Root\Operating System-WinDomainAD dvc= shost=1.3.4.4 dhost=abc.com duser=AD externalId=

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...