How to merge messages into a single event using on...

_smp_ · ‎05-05-2016

Hi,

Relative newbie here. I have a host that is splitting large messages into multiple syslog messages. The beginning of the message contains two timestamps, but the trailing messages only contain one. The messages arrive like this:

May  5 08:12:16 myhost.company.com 05/05/16 08:12:16.392 [part1]
May  5 08:12:16 myhost.company.com [part2]
May  5 08:12:16 myhost.company.com [part3]

Miraculously, I somehow managed to get the messages combined into a single by editing the props.conf:

NO_BINARY_CHECK = true
MAX_EVENTS=50000
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_PREFIX = ^
TRUNCATE = 0
LINE_BREAKER = ([\r\n]+)\w+\s+\d+\s+\d+:\d+:\d+\s+\w+\.\w+\.\w+\.\w+\s\d+\/\d+\/\d+\s+\d+:\d+:\d+\.\d+

And this seems to work fine, but what I noticed is that the timestamps from the two trailing messages are also included in the combined event, kind of like this:

May  5 08:12:16 myhost.company.com 05/05/16 08:12:16.392 [part1]May  5 08:12:16 myhost.company.com [part2]May  5 08:12:16 myhost.company.com [part3]

Is there a way to break the events based on the second timestamp in the first message, but strip out the timestamps from the following two messages?

woodcock · ‎05-05-2016

You should be able to use this:

SEDCMD-strip_last_two_timestamps = s/\s+\d+\/\d+\/\d+\s+\d+:\d+:\d+\.\d+//g

Put this on your indexers and restart Splunk and it should strip them out.

How to merge messages into a single event using one timestamp and remove the other timestamps?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation