How to merge messages into a single event using on...

_smp_ · ‎05-05-2016

Hi,

Relative newbie here. I have a host that is splitting large messages into multiple syslog messages. The beginning of the message contains two timestamps, but the trailing messages only contain one. The messages arrive like this:

May  5 08:12:16 myhost.company.com 05/05/16 08:12:16.392 [part1]
May  5 08:12:16 myhost.company.com [part2]
May  5 08:12:16 myhost.company.com [part3]

Miraculously, I somehow managed to get the messages combined into a single by editing the props.conf:

NO_BINARY_CHECK = true
MAX_EVENTS=50000
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_PREFIX = ^
TRUNCATE = 0
LINE_BREAKER = ([\r\n]+)\w+\s+\d+\s+\d+:\d+:\d+\s+\w+\.\w+\.\w+\.\w+\s\d+\/\d+\/\d+\s+\d+:\d+:\d+\.\d+

And this seems to work fine, but what I noticed is that the timestamps from the two trailing messages are also included in the combined event, kind of like this:

May  5 08:12:16 myhost.company.com 05/05/16 08:12:16.392 [part1]May  5 08:12:16 myhost.company.com [part2]May  5 08:12:16 myhost.company.com [part3]

Is there a way to break the events based on the second timestamp in the first message, but strip out the timestamps from the following two messages?

woodcock · ‎05-05-2016

You should be able to use this:

SEDCMD-strip_last_two_timestamps = s/\s+\d+\/\d+\/\d+\s+\d+:\d+:\d+\.\d+//g

Put this on your indexers and restart Splunk and it should strip them out.

How to merge messages into a single event using one timestamp and remove the other timestamps?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life