Hi , i have the below sample log and the log is not parsing and i am not able to build the sourcetype , is any one can help me to build the sourcetype for below sample log:
1/17/2018 22:21:0:278 pid: shutting down
1/17/2018 22:21:5:284 pid: shutting down
1/17/2018 22:21:10:367 pid: shutting down
1/17/2018 22:23:50:84 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 Current Page: "Log In"
1/17/2018 22:23:50:84 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 at 2fa login page!
1/17/2018 22:23:50:380 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 Waiting for human intervention
1/17/2018 22:23:50:381 pid:205c145f-22a2-dcd4-3a65-d8dfa35d49e4 On 2fa login page, logging in...
2/6/2018 23:57:44:395 pid:e3db867b-2642-061f-fc11-2294be178db6 shutting down
2/6/2018 23:58:9:41 pid: connection failure! msg
2/6/2018 23:58:14:24 pid: connection failure! msg
2/6/2018 23:58:19:47 pid: connection failure! msg
Have you tried the Add Data wizard? It will guide you through the steps of adding a sourcetype.
yes i tried the add data wizard when i go though it , looks good but throwing errors like its combining multiple events into one
In the Add Data wizard, load your file, click Next then click on Advanced. Click on "New Setting" and enter "TIME_FORMAT" in the new Name box and "%m/%d/%Y %H:%M:%S:%3N" in the new Value box. Click "Apply settings" and see if it helps.
Do you know what is the source of these logs ? If yes, try to see in the Add data wizard if you see that log type already supported in Splunk. However if the logs do not have a default support in Splunk, you'll have to provide the linebreaking and Time stamp recognition criteria.
This will work as a minimum props: