Getting Data In

Help On Building source type

Prakash493
Communicator

Hi , i have the below sample log and the log is not parsing and i am not able to build the sourcetype , is any one can help me to build the sourcetype for below sample log:

1/17/2018 22:21:0:278 pid: shutting down
1/17/2018 22:21:5:284 pid: shutting down
1/17/2018 22:21:10:367 pid: shutting down
1/17/2018 22:23:50:84 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 Current Page: "Log In"
1/17/2018 22:23:50:84 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 at 2fa login page!
1/17/2018 22:23:50:380 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 Waiting for human intervention
1/17/2018 22:23:50:381 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 On 2fa login page, logging in...
2/6/2018 23:57:44:395 pid:e3db867b-2642-061f-fc11-2294be178db6 shutting down
2/6/2018 23:58:9:41 pid: connection failure! msg
2/6/2018 23:58:14:24 pid: connection failure! msg
2/6/2018 23:58:19:47 pid: connection failure! msg

0 Karma
1 Solution

Azeemering
Builder

This will work as a minimum props:

[your_sourcetype]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_FORMAT=%m/%d/%Y %H:%M:%S:%3N
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=21

View solution in original post

0 Karma

Azeemering
Builder

This will work as a minimum props:

[your_sourcetype]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_FORMAT=%m/%d/%Y %H:%M:%S:%3N
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=21

0 Karma

Prakash493
Communicator

Thanks Azeem , It worked and my logs looks good now.

0 Karma

woodcock
Esteemed Legend

Another vote for Add Data Wizard.

0 Karma

amitm05
Builder

Do you know what is the source of these logs ? If yes, try to see in the Add data wizard if you see that log type already supported in Splunk. However if the logs do not have a default support in Splunk, you'll have to provide the linebreaking and Time stamp recognition criteria.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried the Add Data wizard? It will guide you through the steps of adding a sourcetype.

---
If this reply helps you, Karma would be appreciated.

Prakash493
Communicator

yes i tried the add data wizard when i go though it , looks good but throwing errors like its combining multiple events into one

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In the Add Data wizard, load your file, click Next then click on Advanced. Click on "New Setting" and enter "TIME_FORMAT" in the new Name box and "%m/%d/%Y %H:%M:%S:%3N" in the new Value box. Click "Apply settings" and see if it helps.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...