09-17-2014 18:00:01.024 DATA MESSAGE RCVD FROM:W228707 DATA:POLL\x04
09-17-2014 18:00:01.024 DATA MESSAGE RCVD FROM:NOCTMDS-A20 DATA:POLL
09-17-2014 18:00:01.024 DATA MESSAGE RCVD FROM:W203911 DATA:POLL\x04
09-17-2014 18:00:01.055 DATA MESSAGE RCVD FROM:W231427 DATA:POLL\x04
09-17-2014 18:00:01.071 DATA MESSAGE RCVD FROM:W211499 DATA:POLL\x04
09-17-2014 18:00:01.087 DATA MESSAGE RCVD FROM:W231259 DATA:POLL\x04
This is the log file I am indexing. and I would like to make it so that when I index it, the timestamp is what determines when a new event occurs. In the data above, the first 3 lines is one event, and the last 3 lines are all indepedent events. I for the life of me, haven't been very successful with this... I've tried a couple of different methods using the Data previewer and setting my line breaks, but I cannot get it to do it correctly. I know this is a very simple thing, so I was wondering if someone could rattle off the solution, and be my easy button.
Thanks
Do you need them to be included as the same event at index time? You could always club them as a single event at search time using the transaction command like so:
try using stats list(_raw) by _time. Would be faster. Hope it helps.
Doing it at searchtime is too slow for what I am trying to achieve. When we do transaction _time, the query takes 2/3 minutes to run. I really need to index them together as an event based on timestamp(though really, I need to group this data into one event:
9/17/14 6:00:06.274 PM
09-17-2014 18:00:06.274 DATA MESSAGE RCVD HOSTNAME-1 DATA:HLCSPOSITIONINFO;;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM
09-17-2014 18:00:06.274 HOSTNAME-1:RCVD DATA = HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM
09-17-2014 18:00:06.274 DATAGRAM FORWARDED TO CLIENT: <123412> [HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM
09-17-2014 18:00:06.274 MOBILE CLIENT ASSIGNMENT FOUND:S123412
This is coming accross as 4 separate events, and I need it to be one event. We can easily get this done at search time, but our need is to have it done at index time. It does -not- have to be by the timestamp, but it seemed like low hanging fruit at the time, but is still eluding us.