Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me with my Line Breaker and event time setting issue?

damucka
Builder
‎11-12-2018 03:56 AM

Hello,

I have the source type SID_transports for the ingestion of the SAP ABAP transport logs. They are in the following form:

1 ETP199X######################################
1 ETP153 DICTIONARY IMPORT
1 ETP101 transport order     : "ISPK930545"
1 ETP102 system              : "ISH"
1 ETP108 tp path             : "tp"
1 ETP109 version and release : "380.58.35" "749"
1 ETP198 
4 ETW000 R3trans.exe version 6.25 (release 749 - 28.09.16 - 20:16:05).
4 ETW000 unicode enabled version
4 ETW000 ===============================================
4 ETW000 
....
....
....
4 ETW000 Disconnected from database.
4 ETW000 End of Transport (0000).
4 ETW000 date&time: 09.03.2018 - 14:29:19
1 ETP153 DICTIONARY IMPORT
1 ETP110 end date and time   : "20180309142919"
1 ETP111 exit code           : "0"
1 ETP199 ######################################

Now, I would like the following:

  • make one event out of each complete import, which would basically be everything between "1 ETP199X" and "1 ETP199". So, I guess I need to set the line breaker to the "1 ETP199". How would I do it?

  • I would like to set the event time to the end time of the import, coming in the line:

    1 ETP110 end date and time : "20180309142919"
    How would I extract it and tell the indexer to make the _time out of it?

Kind Regards,
Kamil

Tags (1)
0 Karma
Reply

493669
Super Champion
‎11-12-2018 04:29 AM

Give this a try-

 [ <your sourcetype name>]
 SHOULD_LINEMERGE=false
 NO_BINARY_CHECK=true
 MAX_TIMESTAMP_LOOKAHEAD=36
 LINE_BREAKER= (1\sETP199\s#*)
TIME_PREFIX = 1\sETP110\send\sdate\sand\stime\s*:\s*\"(\d+)
 TIME_FORMAT = %Y%d%m%H%M%S

Here in date 09.03.2018 assumed 09 as month and 03 as date....

0 Karma
Reply

damucka
Builder
‎11-27-2018 08:09 AM

Hello,

It is a bit strange, but the Splunk sets the event time "nearly correct", which I do not understand. For the following event:

1 ETP199X######################################
1 ETP193 deployment of SAP HANA(R) repository objects
...
A2 ESCTS_HOT 509 End of deployment of SAP HANA repository objects: "20181123141121"
1 ETP193 deployment of SAP HANA(R) repository objects
1 ETP110 end date and time   : "20181123151121"
1 ETP111 exit code           : "8"

for which I would expect the event time to be set to 11/23/18
3:11:21.000 PM, it sets it to 11/23/18 3:11:23.000 PM, which is two seconds later. I have some more examples of that. The event time is always some second later than the one from the ETP110 pattern.

Could you perhaps help?

Kind regards,
Kamil

0 Karma
Reply

FrankVl
Ultra Champion
‎11-27-2018 08:24 AM

That's because the timestamp extraction fails and is taking current time / time from a previous event.

The time format suggested is wrong, it has the month and day swapped. Try TIME_FORMAT = %Y%m%d%H%M%S

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...