Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to line break events based on timestamp to include multiple lines in one event?

corydm
New Member
‎09-19-2014 10:54 AM 
09-17-2014 18:00:01.024     DATA MESSAGE RCVD FROM:W228707 DATA:POLL\x04
09-17-2014 18:00:01.024     DATA MESSAGE RCVD FROM:NOCTMDS-A20 DATA:POLL
09-17-2014 18:00:01.024     DATA MESSAGE RCVD FROM:W203911 DATA:POLL\x04
09-17-2014 18:00:01.055     DATA MESSAGE RCVD FROM:W231427 DATA:POLL\x04
09-17-2014 18:00:01.071     DATA MESSAGE RCVD FROM:W211499 DATA:POLL\x04
09-17-2014 18:00:01.087     DATA MESSAGE RCVD FROM:W231259 DATA:POLL\x04

This is the log file I am indexing. and I would like to make it so that when I index it, the timestamp is what determines when a new event occurs. In the data above, the first 3 lines is one event, and the last 3 lines are all indepedent events. I for the life of me, haven't been very successful with this... I've tried a couple of different methods using the Data previewer and setting my line breaks, but I cannot get it to do it correctly. I know this is a very simple thing, so I was wondering if someone could rattle off the solution, and be my easy button.

Thanks

0 Karma
Reply

sk314
Builder
‎09-19-2014 11:09 AM

Do you need them to be included as the same event at index time? You could always club them as a single event at search time using the transaction command like so:
| transaction _time

0 Karma
Reply

sk314
Builder
‎09-25-2014 08:26 PM

try using stats list(_raw) by _time. Would be faster. Hope it helps.

0 Karma
Reply

corydm
New Member
‎09-23-2014 06:28 AM

Doing it at searchtime is too slow for what I am trying to achieve. When we do transaction _time, the query takes 2/3 minutes to run. I really need to index them together as an event based on timestamp(though really, I need to group this data into one event:

9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 DATA MESSAGE RCVD HOSTNAME-1 DATA:HLCSPOSITIONINFO;;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 HOSTNAME-1:RCVD DATA = HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 DATAGRAM FORWARDED TO CLIENT: <123412> [HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 MOBILE CLIENT ASSIGNMENT FOUND:S123412

This is coming accross as 4 separate events, and I need it to be one event. We can easily get this done at search time, but our need is to have it done at index time. It does -not- have to be by the timestamp, but it seemed like low hanging fruit at the time, but is still eluding us.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...