Getting Data In

How can I event break a catalina.out log with two different time stamps ?

Path Finder

Hello, my developers want to read a catalina.out log file.

It contains events with two distinct time stamp formats.

Is there a way to have a source type honor both timestamps, and create 2 separate events using either time stamp?

I know I can pick one then mash the others into one event but I'd like to get around that if possible.

e.g.

03-Oct-2018 10:30:27.651 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version:        Secure Web server
2018-10-10 12:37:37.797  INFO 23997 --- [nio-8443-exec-8] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 40 ms

I have asked to unravel this log file into it's components (other uniform log files) but that hasn't gone anywhere.

0 Karma
1 Solution

Explorer

Splunk breaks events by timestamp according to certain patterns.

If you tell him which patterns to look for then he'll do the job as fine as if you had only one timestamp format.

What you need to do is tell him which patterns to expect and when he should do the breaking.

In order to do this:

First: Create a LINE_BREAKER which encompasses every pattern of timestamp you're willing to use to separate the events.

Second: You supply Splunk with the the format of said timestamps so he can recognize and create the right times for your events.

This is done by creating a custom datetime.xml associated with your sourcetype to extract the timestamp values correctly:

http://docs.splunk.com/Documentation/Splunk/7.0.5/Data/Configuredatetimexml

Here's one example with several different formats you can follow and that should suit your needs:

https://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem

Hope this helps 🙂

View solution in original post

Explorer

Splunk breaks events by timestamp according to certain patterns.

If you tell him which patterns to look for then he'll do the job as fine as if you had only one timestamp format.

What you need to do is tell him which patterns to expect and when he should do the breaking.

In order to do this:

First: Create a LINE_BREAKER which encompasses every pattern of timestamp you're willing to use to separate the events.

Second: You supply Splunk with the the format of said timestamps so he can recognize and create the right times for your events.

This is done by creating a custom datetime.xml associated with your sourcetype to extract the timestamp values correctly:

http://docs.splunk.com/Documentation/Splunk/7.0.5/Data/Configuredatetimexml

Here's one example with several different formats you can follow and that should suit your needs:

https://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem

Hope this helps 🙂

View solution in original post

Path Finder

Thank you so much! I will give this a try and report back.

0 Karma

SplunkTrust
SplunkTrust

This has bad idea written all over it. Best of luck handling this tech debt once in production

0 Karma

SplunkTrust
SplunkTrust

No.. Standardize into the same timestamp or create an additional sourcetype for this new timestamp format

0 Karma

Path Finder

Yes, while I like this answer and have used it many times in the past. Sometimes I have not control over the input and in this case it is better to read the .out file with mixed inputs rather than not. I totally understand and it is a better approach to make the timestamps consistent and the log file more pure than mixed. See the second answer posted to this question. I will be giving it a try and report back.

0 Karma

SplunkTrust
SplunkTrust

You don't need control over the inputs.. I'm assuming your the Splunk admin, so you have to control the Splunk conf files. I don't see why it's so difficult to create an additional sourcetype or add this to existing sourcetype.

0 Karma