Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to merge messages into a single event using one timestamp and remove the other timestamps?

_smp_
Builder
‎05-05-2016 06:35 AM

Hi,

Relative newbie here. I have a host that is splitting large messages into multiple syslog messages. The beginning of the message contains two timestamps, but the trailing messages only contain one. The messages arrive like this:

May  5 08:12:16 myhost.company.com 05/05/16 08:12:16.392 [part1]
May  5 08:12:16 myhost.company.com [part2]
May  5 08:12:16 myhost.company.com [part3]

Miraculously, I somehow managed to get the messages combined into a single by editing the props.conf:

NO_BINARY_CHECK = true
MAX_EVENTS=50000
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_PREFIX = ^
TRUNCATE = 0
LINE_BREAKER = ([\r\n]+)\w+\s+\d+\s+\d+:\d+:\d+\s+\w+\.\w+\.\w+\.\w+\s\d+\/\d+\/\d+\s+\d+:\d+:\d+\.\d+

And this seems to work fine, but what I noticed is that the timestamps from the two trailing messages are also included in the combined event, kind of like this:

May  5 08:12:16 myhost.company.com 05/05/16 08:12:16.392 [part1]May  5 08:12:16 myhost.company.com [part2]May  5 08:12:16 myhost.company.com [part3]

Is there a way to break the events based on the second timestamp in the first message, but strip out the timestamps from the following two messages?

0 Karma
Reply

woodcock
Esteemed Legend
‎05-05-2016 09:50 AM

You should be able to use this:

SEDCMD-strip_last_two_timestamps = s/\s+\d+\/\d+\/\d+\s+\d+:\d+:\d+\.\d+//g

Put this on your indexers and restart Splunk and it should strip them out.

0 Karma
Reply
The Latest From the Splunk Community!