- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to fix line breaking issue Unix timestamp
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to fix line breaking issue Unix timestamp
Hi All,
I have the logs in below format which is stored in an S3 bucket :
1567295878959445,hostname,ip,id,session,operation,db,query
The first field I believe is the Unix timestamp. When I am integrating those logs with Splunk Addon for AWS the line breaking is not happening as per the timestamp.
Below is the sample log that I am receiving in Splunk. The log is not breaking based on the timestamp as you can see below:
1567295878959445,hostname,ip,id,session,operation,db,query,1567295878959550,hostname,ip,id,session,operation,db,query'
Could anyone advise the configuration in props.conf to break these logs as per the timestamp? Ideally, log should look like below in Splunk :
1567295878959445,hostname,ip,id,session,operation,db,query -log1
1567295878959550,hostname,ip,id,session,operation,db,query' -log2
Regards,
Samad
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try (props.conf on your heavy forwarder/indexer, first Splunk Enterprise instance that comes in your data flow)
[YourSourcetypeHere]
LINE_BREAKER = ([\r\n]+)(?=\d+,)
SHOULD_LINEMERGE = false
TIME_PREFIX = ^
TIME_FORMAT = %s.%6N
Would require Splunk restart to take effect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the answer.
However, the above setting is not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
TIME_FORMAT = %s%3N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is now taking the timestamp without any errors, however the events are not breaking based on the timestamp. I used below setting :
LINE_BREAKER = (\d{10,16}+)
It is breaking the events but it is removing timestamp from the logs.
Regards,
Samad
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
doesn't this LINE_BREAKER work for you ?
LINE_BREAKER = ([\r\n]+)(?=\d+,)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rupesh,
No, this line breaker doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, all the logs are in single lines thus the my line breaker didn't work. Logs like this with no separator between the events are tough to break. Do you have control to change the logging format, either changing it to single line OR including some static/unique characters before the event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't have control to change the logging format. However, I will check with admin to see if there is any possibility to change the logging format.
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what about something like this for your line breaker....assuming you don't need the comma
(,\s*)(?=\d{10})
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
