Getting Data In
Highlighted

How can I propagate date+hour to each next event in the log?

Engager

Hi. I am a newborn splunk user. Logs come in the following format
--Format--
@@dd/mm/yyyyHH
MMSS.msecond|Message...
....
@@dd/mm/yyyy
HH
MMSS.msecond|Message...

Sample:
@@10/07/201820
4117.824|MessageA
4117.826|MessageB
4118.007|MessageA
4118.010|MessageC
@@10/07/2018
21
1107.284|MessageD
1221.621|MessageB
2128.107|MessageE
4817.112|MessageF

How can I capture date+hour and apply to each event at indexing time.
E.g. for the last message in the sample I need something like below
10/07/2018 21:48:17.112 MessageF

Or how to make Splunk recognize a timestamp properly when hour is linked to date and precise time is linked to each message?

Appreciate your help.

0 Karma
Highlighted

Re: How can I propagate date+hour to each next event in the log?

Contributor

i don't think what you are after is possible. each event needs its own time stamp. The only alternative i could think of would be using indexing time as the timestamp. set up a props.conf and add the following. You would also need to setup some regex for line breaking i'm assuming which can be found in props.conf as well.

DATETIME_CONFIG = CURRENT

Logging Best Practices

Highlighted

Re: How can I propagate date+hour to each next event in the log?

Engager

There is no easy way in splunk. Have to use Powershell addon with the following command for upload
Get-ChildItem '\*.log' -Recurse | Get-Content | %{if($_ -match '^@@'){$a=($_ -replace '^@@(\d{2})\/(\d{2})\/(\d{4})(\d{2})','$3-$2-$1T$4:');"$($a)00:00"}else{"$a$($ -replace '^(\d{2})(\d{2}.\d{3})', '$1:$2 ')"}}

View solution in original post

0 Karma