Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to line break events based on timestamp to include multiple lines in one event?

corydm
New Member
‎09-19-2014 10:54 AM 
09-17-2014 18:00:01.024     DATA MESSAGE RCVD FROM:W228707 DATA:POLL\x04
09-17-2014 18:00:01.024     DATA MESSAGE RCVD FROM:NOCTMDS-A20 DATA:POLL
09-17-2014 18:00:01.024     DATA MESSAGE RCVD FROM:W203911 DATA:POLL\x04
09-17-2014 18:00:01.055     DATA MESSAGE RCVD FROM:W231427 DATA:POLL\x04
09-17-2014 18:00:01.071     DATA MESSAGE RCVD FROM:W211499 DATA:POLL\x04
09-17-2014 18:00:01.087     DATA MESSAGE RCVD FROM:W231259 DATA:POLL\x04

This is the log file I am indexing. and I would like to make it so that when I index it, the timestamp is what determines when a new event occurs. In the data above, the first 3 lines is one event, and the last 3 lines are all indepedent events. I for the life of me, haven't been very successful with this... I've tried a couple of different methods using the Data previewer and setting my line breaks, but I cannot get it to do it correctly. I know this is a very simple thing, so I was wondering if someone could rattle off the solution, and be my easy button.

Thanks

0 Karma
Reply

sk314
Builder
‎09-19-2014 11:09 AM

Do you need them to be included as the same event at index time? You could always club them as a single event at search time using the transaction command like so:
| transaction _time

0 Karma
Reply

sk314
Builder
‎09-25-2014 08:26 PM

try using stats list(_raw) by _time. Would be faster. Hope it helps.

0 Karma
Reply

corydm
New Member
‎09-23-2014 06:28 AM

Doing it at searchtime is too slow for what I am trying to achieve. When we do transaction _time, the query takes 2/3 minutes to run. I really need to index them together as an event based on timestamp(though really, I need to group this data into one event:

9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 DATA MESSAGE RCVD HOSTNAME-1 DATA:HLCSPOSITIONINFO;;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 HOSTNAME-1:RCVD DATA = HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 DATAGRAM FORWARDED TO CLIENT: <123412> [HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 MOBILE CLIENT ASSIGNMENT FOUND:S123412

This is coming accross as 4 separate events, and I need it to be one event. We can easily get this done at search time, but our need is to have it done at index time. It does -not- have to be by the timestamp, but it seemed like low hanging fruit at the time, but is still eluding us.

0 Karma
Reply
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!