Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk to index separate events for each timestamp in my sample data?

cjmckenna
New Member
‎07-07-2016 02:32 PM

I have the following entries from a logfile created with log4j.

[slf5s.start]07 Jul 2016 15:23:37,789[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Processing time to execute redacted stored procedure in ms- 441[slf5s.MESSAGE]
[slf5s.start]07 Jul 2016 15:23:37,802[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Processing time to map redacted Header in ms- 10,row count=274[slf5s.MESSAGE]
[slf5s.start]07 Jul 2016 15:23:37,834[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Processing time to map redacted cursor in ms--- 23[slf5s.MESSAGE]
[slf5s.start]07 Jul 2016 15:23:37,840[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Size of Cursor is 262 rows[slf5s.MESSAGE]

Splunk is placing all of those entries in to a single event with this timestamp 07 Jul 2016 15:23:37,789 and not creating an event for each of those timestamps. My theory is that it's because the line does not begin with a timestamp, but instead begins with [slf5s.start]

Any help on how I can get these to be discreet events would be approciated

0 Karma
Reply

maciep
Champion
‎07-07-2016 05:40 PM

Have you tried setting SHOULD_LINEMERGE = FALSE in props.conf? I think that will make Splunk create new events on line breaks.

And it seems to already find the timestamp ok, but you could specify the TIME_PREFIX, TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD as well if needed or to make Splunk's job easier.

0 Karma
Reply

sundareshr
Legend
‎07-07-2016 04:57 PM

If all your events begin with [slf5s.start], you could set that as the TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD in your props.conf

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Configuretimestamprecognition

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...