Re: How to fix the timestamp for multiline events...

senthilnathanv · ‎09-10-2019

Hi, Kindly help me out with to solve this question

When I try to parse the log event data into splunk which is in the multiline format, the timestamp is not identified correctly by splunk. It shows error that it "failed to parse timestamp". how to resolve this issue.

My log will be looking like this:

201907231345267473.00
10-24-00 aaaa bbbbb cccccc

here date is 2019-07-23 and time is 10-24-00
But these two line are identified as single event by enabling SHOULD_LINEMERGE = true

jkat54 · ‎09-10-2019

You can put this in datetime.xml in your app and deploy to first splunk enterprise instance in the input chain. I dont think its needed on the universal forwarder, but i forget if thats the truth or not.

<datetime>
  <define name="_custom_datestamp1" extract="year, month, day">
    <text><![CDATA[(?i\*\*)(\d{4})(\d{2})(\d{2})]]></text>
  </define>
  <define name="_custom_timestamp1" extract="hour, minute, second">
    <text><![CDATA[(?i)^(\d{2})-(\d{2})-(\d{2})]]></text>
  </define>
  <timePatterns>
    <use name="_custom_timestamp1"/>
  </timePatterns>
  <datePatterns>
    <use name="_custom_datestamp1"/>
  </datePatterns>
</datetime>

the changes will only apply to NEW data ingested after the datetime.xml is deployed.

richgalloway · ‎09-10-2019

What are the props.conf settings for that sourcetype?

---
If this reply helps you, Karma would be appreciated.

How to fix the timestamp for multiline events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation