Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to break a multi-line event with regex, provided that the date and time containing the milliseconds changes only at the beginning of the line.

leandromatperei
Path Finder
‎11-18-2019 10:47 AM

Hi,
I have the following log format,
How can I break this multiline event, with the condition if the date is changed only when the date containing time is at the beginning of the line.

Thread easy_init.exe.3504 with tid:7248 of process easy_init with pid:3504 has internal thread id #2

Thread easy_init.3504 (thread #0, tid: 20616) with tid:20616 of process easy_init with pid:3504 has internal thread id #2

Thread easy_init.3504 (thread #1, tid: 50872) with tid:50872 of process easy_init with pid:3504 has internal thread id #3

Thread easy_init.3504 (thread #3, tid: 26584) with tid:26584 of process easy_init with pid:3504 has internal thread id #4

Thread easy_init.3504 (thread #4, tid: 80456) with tid:80456 of process easy_init with pid:3504 has internal thread id #5

Thread easy_init.3504 (thread #2, tid: 16376) with tid:16376 of process easy_init with pid:3504 has internal thread id #6

(2019-11-18 08:02:29.611)           (2019-11-17 15:38:11.334)
easy_init.3504 (thread #0, tid: 20616) (trace:0) (proc_launch): Process easy_log successfully launched (58984)


(2019-11-18 08:02:29.626)           (2019-11-18 08:02:29.626)
easy_log.exe.58984 (trace:0) ([ trace: level 3 depth 40 ] version '8.4' [ build 0 (Jun 11 2019 11:13:15) Update 1220 ]
Operating system information: Windows Server 2012(x64) , build 9200 , locale: 'English_United States.1252'/'English_United States.1252'
): information


(2019-11-18 08:02:29.658)           (2019-11-18 08:02:29.642)
easy_init.exe.3504 (trace:0) (proc_launch): Process dbmon.oci successfully launched (73792)


Thread easy_init[children].3504 with tid:7256 of process easy_init with pid:3504 has internal thread id #9

Thread easy_init[children].3504 with tid:7256 of process easy_init with pid:3504 has internal thread id #9

Thread dbmon.oci.exe.73792 with tid:74852 of process dbmon.oci.exe with pid:73792 has internal thread id #7

(2019-11-18 08:02:29.923)           (2019-11-18 08:02:29.923)
dbmon.oci.exe.73792 (dbmon thread, tid: 50600) (trace:0) ([ trace: level 3 depth 40 ] version '8.4' [ build 0 (Jun 11 2019 11:27:47) Update 1220 ]): information


Thread dbmon.oci.exe.73792 (dbmon thread, tid: 50600) with tid:50600 of process dbmon.oci.exe with pid:73792 has internal thread id #8

(2019-11-18 08:02:30.501)           (2019-11-18 08:02:29.642)
easy_init.exe.3504 (trace:0) (proc_launch): Process fr.oci successfully launched (87772)

Example: 2019-11-18 08:02:30.501

0 Karma
Reply

sanjeev543
Communicator
‎11-18-2019 06:17 PM

Please try below config in your props.conf

[ your_sourcetype]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE_DATE=true
TIME_PREFIX=^\(
TIME_FORMAT=%Y-%m-%d%t%H:%M:%S.%3N

I see that it's breaking as you are expected

alt text

Preview file
1 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2019 11:38 AM

Try these props.conf settings for starters:

[myssourceype]
TIME_PREFIX = ^\(
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 23
LINE_BREAKER = ([\r\n]+)%Y-%m-%d %H:%M:%S.%3N
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

leandromatperei
Path Finder
‎11-18-2019 04:44 PM

Thanks, I think something went wrong.

It's getting a single line

The event was not broken into multiple lines.

0 Karma
Reply

leandromatperei
Path Finder
‎11-18-2019 04:54 PM

The log below for example should be split into two events because of the timestamp.

However this is not happening.

(2019-11-18 08:02:29.923)           (2019-11-18 08:02:29.923)
 dbmon.oci.exe.73792 (dbmon thread, tid: 50600) (trace:0) ([ trace: level 3 depth 40 ] version '8.4' [ build 0 (Jun 11 2019 11:27:47) Update 1220 ]): information

 Thread dbmon.oci.exe.73792 (dbmon thread, tid: 50600) with tid:50600 of process dbmon.oci.exe with pid:73792 has internal thread id #8

 (2019-11-18 08:02:30.501)           (2019-11-18 08:02:29.642)
 easy_init.exe.3504 (trace:0) (proc_launch): Process fr.oci successfully launched (87772)
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...