I have the following entries from a logfile created with log4j.
[slf5s.start]07 Jul 2016 15:23:37,789[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Processing time to execute redacted stored procedure in ms- 441[slf5s.MESSAGE]
[slf5s.start]07 Jul 2016 15:23:37,802[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Processing time to map redacted Header in ms- 10,row count=274[slf5s.MESSAGE]
[slf5s.start]07 Jul 2016 15:23:37,834[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Processing time to map redacted cursor in ms--- 23[slf5s.MESSAGE]
[slf5s.start]07 Jul 2016 15:23:37,840[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Size of Cursor is 262 rows[slf5s.MESSAGE]
Splunk is placing all of those entries in to a single event with this timestamp 07 Jul 2016 15:23:37,789
and not creating an event for each of those timestamps. My theory is that it's because the line does not begin with a timestamp, but instead begins with [slf5s.start]
Any help on how I can get these to be discreet events would be approciated
Have you tried setting SHOULD_LINEMERGE = FALSE in props.conf? I think that will make Splunk create new events on line breaks.
And it seems to already find the timestamp ok, but you could specify the TIME_PREFIX, TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD as well if needed or to make Splunk's job easier.
If all your events begin with [slf5s.start]
, you could set that as the TIME_PREFIX
and MAX_TIMESTAMP_LOOKAHEAD
in your props.conf
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Configuretimestamprecognition