Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I event break a catalina.out log with two different time stamps ?

pretzel2
Path Finder
‎10-25-2018 11:49 AM

Hello, my developers want to read a catalina.out log file.

It contains events with two distinct time stamp formats.

Is there a way to have a source type honor both timestamps, and create 2 separate events using either time stamp?

I know I can pick one then mash the others into one event but I'd like to get around that if possible.

e.g. 

03-Oct-2018 10:30:27.651 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version:        Secure Web server
2018-10-10 12:37:37.797  INFO 23997 --- [nio-8443-exec-8] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 40 ms

I have asked to unravel this log file into it's components (other uniform log files) but that hasn't gone anywhere.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagopeq
Explorer
‎10-26-2018 07:26 AM

Splunk breaks events by timestamp according to certain patterns.

If you tell him which patterns to look for then he'll do the job as fine as if you had only one timestamp format.

What you need to do is tell him which patterns to expect and when he should do the breaking.

In order to do this:

First: Create a LINE_BREAKER which encompasses every pattern of timestamp you're willing to use to separate the events.

Second: You supply Splunk with the the format of said timestamps so he can recognize and create the right times for your events.

This is done by creating a custom datetime.xml associated with your sourcetype to extract the timestamp values correctly:

http://docs.splunk.com/Documentation/Splunk/7.0.5/Data/Configuredatetimexml

Here's one example with several different formats you can follow and that should suit your needs:

https://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem

Hope this helps 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

tiagopeq
Explorer
‎10-26-2018 07:26 AM

Splunk breaks events by timestamp according to certain patterns.

If you tell him which patterns to look for then he'll do the job as fine as if you had only one timestamp format.

What you need to do is tell him which patterns to expect and when he should do the breaking.

In order to do this:

First: Create a LINE_BREAKER which encompasses every pattern of timestamp you're willing to use to separate the events.

Second: You supply Splunk with the the format of said timestamps so he can recognize and create the right times for your events.

This is done by creating a custom datetime.xml associated with your sourcetype to extract the timestamp values correctly:

http://docs.splunk.com/Documentation/Splunk/7.0.5/Data/Configuredatetimexml

Here's one example with several different formats you can follow and that should suit your needs:

https://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem

Hope this helps 🙂

Reply
Solved! Jump to solution

pretzel2
Path Finder
‎11-02-2018 11:53 AM

Thank you so much! I will give this a try and report back.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎11-05-2018 06:38 AM

This has bad idea written all over it. Best of luck handling this tech debt once in production

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-25-2018 12:08 PM

No.. Standardize into the same timestamp or create an additional sourcetype for this new timestamp format

0 Karma
Reply
Solved! Jump to solution

pretzel2
Path Finder
‎11-02-2018 11:52 AM

Yes, while I like this answer and have used it many times in the past. Sometimes I have not control over the input and in this case it is better to read the .out file with mixed inputs rather than not. I totally understand and it is a better approach to make the timestamps consistent and the log file more pure than mixed. See the second answer posted to this question. I will be giving it a try and report back.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎11-05-2018 06:40 AM

You don't need control over the inputs.. I'm assuming your the Splunk admin, so you have to control the Splunk conf files. I don't see why it's so difficult to create an additional sourcetype or add this to existing sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...