Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can you help me with my Line Breaker and event tim...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me with my Line Breaker and event time setting issue?
Hello,
I have the source type SID_transports for the ingestion of the SAP ABAP transport logs. They are in the following form:
1 ETP199X######################################
1 ETP153 DICTIONARY IMPORT
1 ETP101 transport order : "ISPK930545"
1 ETP102 system : "ISH"
1 ETP108 tp path : "tp"
1 ETP109 version and release : "380.58.35" "749"
1 ETP198
4 ETW000 R3trans.exe version 6.25 (release 749 - 28.09.16 - 20:16:05).
4 ETW000 unicode enabled version
4 ETW000 ===============================================
4 ETW000
....
....
....
4 ETW000 Disconnected from database.
4 ETW000 End of Transport (0000).
4 ETW000 date&time: 09.03.2018 - 14:29:19
1 ETP153 DICTIONARY IMPORT
1 ETP110 end date and time : "20180309142919"
1 ETP111 exit code : "0"
1 ETP199 ######################################
Now, I would like the following:
- make one event out of each complete import, which would basically be everything between "1 ETP199X" and "1 ETP199". So, I guess I need to set the line breaker to the "1 ETP199". How would I do it?
I would like to set the event time to the end time of the import, coming in the line:
1 ETP110 end date and time : "20180309142919"
How would I extract it and tell the indexer to make the _time out of it?
Kind Regards,
Kamil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try-
[ <your sourcetype name>]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
MAX_TIMESTAMP_LOOKAHEAD=36
LINE_BREAKER= (1\sETP199\s#*)
TIME_PREFIX = 1\sETP110\send\sdate\sand\stime\s*:\s*\"(\d+)
TIME_FORMAT = %Y%d%m%H%M%S
Here in date 09.03.2018 assumed 09 as month and 03 as date....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
It is a bit strange, but the Splunk sets the event time "nearly correct", which I do not understand. For the following event:
1 ETP199X######################################
1 ETP193 deployment of SAP HANA(R) repository objects
...
A2 ESCTS_HOT 509 End of deployment of SAP HANA repository objects: "20181123141121"
1 ETP193 deployment of SAP HANA(R) repository objects
1 ETP110 end date and time : "20181123151121"
1 ETP111 exit code : "8"
for which I would expect the event time to be set to 11/23/18
3:11:21.000 PM, it sets it to 11/23/18 3:11:23.000 PM, which is two seconds later. I have some more examples of that. The event time is always some second later than the one from the ETP110 pattern.
Could you perhaps help?
Kind regards,
Kamil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's because the timestamp extraction fails and is taking current time / time from a previous event.
The time format suggested is wrong, it has the month and day swapped. Try TIME_FORMAT = %Y%m%d%H%M%S
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
