Solved: Re: Help On Building source type

Prakash493 · ‎07-03-2019

Hi , i have the below sample log and the log is not parsing and i am not able to build the sourcetype , is any one can help me to build the sourcetype for below sample log:

1/17/2018 22:21:0:278 pid: shutting down
1/17/2018 22:21:5:284 pid: shutting down
1/17/2018 22:21:10:367 pid: shutting down
1/17/2018 22:23:50:84 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 Current Page: "Log In"
1/17/2018 22:23:50:84 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 at 2fa login page!
1/17/2018 22:23:50:380 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 Waiting for human intervention
1/17/2018 22:23:50:381 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 On 2fa login page, logging in...
2/6/2018 23:57:44:395 pid:e3db867b-2642-061f-fc11-2294be178db6 shutting down
2/6/2018 23:58:9:41 pid: connection failure! msg
2/6/2018 23:58:14:24 pid: connection failure! msg
2/6/2018 23:58:19:47 pid: connection failure! msg

Azeemering · ‎07-04-2019

This will work as a minimum props:

[your_sourcetype]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_FORMAT=%m/%d/%Y %H:%M:%S:%3N
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=21

View solution in original post

Azeemering · ‎07-04-2019

This will work as a minimum props:

[your_sourcetype]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_FORMAT=%m/%d/%Y %H:%M:%S:%3N
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=21

Prakash493 · ‎07-05-2019

Thanks Azeem , It worked and my logs looks good now.

woodcock · ‎07-03-2019

Another vote for Add Data Wizard.

amitm05 · ‎07-03-2019

Do you know what is the source of these logs ? If yes, try to see in the Add data wizard if you see that log type already supported in Splunk. However if the logs do not have a default support in Splunk, you'll have to provide the linebreaking and Time stamp recognition criteria.

richgalloway · ‎07-03-2019

Have you tried the Add Data wizard? It will guide you through the steps of adding a sourcetype.

---
If this reply helps you, Karma would be appreciated.

Prakash493 · ‎07-03-2019

yes i tried the add data wizard when i go though it , looks good but throwing errors like its combining multiple events into one

richgalloway · ‎07-03-2019

In the Add Data wizard, load your file, click Next then click on Advanced. Click on "New Setting" and enter "TIME_FORMAT" in the new Name box and "%m/%d/%Y %H:%M:%S:%3N" in the new Value box. Click "Apply settings" and see if it helps.

---
If this reply helps you, Karma would be appreciated.

Help On Building source type

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation