Re: How to fix the timestamp for multiline events...

senthilnathanv · ‎09-10-2019

Hi, Kindly help me out with to solve this question

When I try to parse the log event data into splunk which is in the multiline format, the timestamp is not identified correctly by splunk. It shows error that it "failed to parse timestamp". how to resolve this issue.

My log will be looking like this:

201907231345267473.00
10-24-00 aaaa bbbbb cccccc

here date is 2019-07-23 and time is 10-24-00
But these two line are identified as single event by enabling SHOULD_LINEMERGE = true

jkat54 · ‎09-10-2019

You can put this in datetime.xml in your app and deploy to first splunk enterprise instance in the input chain. I dont think its needed on the universal forwarder, but i forget if thats the truth or not.

<datetime>
  <define name="_custom_datestamp1" extract="year, month, day">
    <text><![CDATA[(?i\*\*)(\d{4})(\d{2})(\d{2})]]></text>
  </define>
  <define name="_custom_timestamp1" extract="hour, minute, second">
    <text><![CDATA[(?i)^(\d{2})-(\d{2})-(\d{2})]]></text>
  </define>
  <timePatterns>
    <use name="_custom_timestamp1"/>
  </timePatterns>
  <datePatterns>
    <use name="_custom_datestamp1"/>
  </datePatterns>
</datetime>

the changes will only apply to NEW data ingested after the datetime.xml is deployed.

richgalloway · ‎09-10-2019

What are the props.conf settings for that sourcetype?

---
If this reply helps you, Karma would be appreciated.

How to fix the timestamp for multiline events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation