Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk to index separate events for each timestamp in my sample data?

cjmckenna
New Member
‎07-07-2016 02:32 PM

I have the following entries from a logfile created with log4j.

[slf5s.start]07 Jul 2016 15:23:37,789[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Processing time to execute redacted stored procedure in ms- 441[slf5s.MESSAGE]
[slf5s.start]07 Jul 2016 15:23:37,802[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Processing time to map redacted Header in ms- 10,row count=274[slf5s.MESSAGE]
[slf5s.start]07 Jul 2016 15:23:37,834[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Processing time to map redacted cursor in ms--- 23[slf5s.MESSAGE]
[slf5s.start]07 Jul 2016 15:23:37,840[slf5s.DATE]WARN [slf5s.PRIORITY]serviceNameRedacted::execute 4dc8d34e-4478-11e6-ab32-0a30b49b0000[slf5s.MDC]Size of Cursor is 262 rows[slf5s.MESSAGE]

Splunk is placing all of those entries in to a single event with this timestamp 07 Jul 2016 15:23:37,789 and not creating an event for each of those timestamps. My theory is that it's because the line does not begin with a timestamp, but instead begins with [slf5s.start]

Any help on how I can get these to be discreet events would be approciated

0 Karma
Reply

maciep
Champion
‎07-07-2016 05:40 PM

Have you tried setting SHOULD_LINEMERGE = FALSE in props.conf? I think that will make Splunk create new events on line breaks.

And it seems to already find the timestamp ok, but you could specify the TIME_PREFIX, TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD as well if needed or to make Splunk's job easier.

0 Karma
Reply

sundareshr
Legend
‎07-07-2016 04:57 PM

If all your events begin with [slf5s.start], you could set that as the TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD in your props.conf

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Configuretimestamprecognition

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...