Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Group Events By timestamp

markgomez00
Explorer
‎07-11-2013 08:58 PM

Hi,

I have this log file mixed with a single and multiple line events, my problem is that splunk is breaking some multiline events, what I want to do is group the event if splunk detects a timestamp and until a new timestamp is detected it will be displayed as a one event?

what i want to happen is in this format:

[timestamp][message] //event1

[message] //event1

[message] //event1

[timestamp][message] //event2

[timestamp][message] //event3

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-12-2013 12:23 AM

This is actually the default behaviour. Splunk will break when it finds a valid timestamp. What might be happening is that Splunk finds something else that it considers to be a valid timestamp in the places within event 1 where it's breaking though it shouldn't. You can tell Splunk explicitly what time format it should be looking for by specifying TIME_FORMAT for the sourcetype in question in props.conf.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-12-2013 12:23 AM

This is actually the default behaviour. Splunk will break when it finds a valid timestamp. What might be happening is that Splunk finds something else that it considers to be a valid timestamp in the places within event 1 where it's breaking though it shouldn't. You can tell Splunk explicitly what time format it should be looking for by specifying TIME_FORMAT for the sourcetype in question in props.conf.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-18-2013 01:37 AM

Yes. Like I said, you can set TIME_FORMAT. More information on this is available here: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition

In your case the time format would be something like:

TIME_FORMAT = %Y-%m-%d %H:%M:%S
0 Karma
Reply
Solved! Jump to solution

markgomez00
Explorer
‎07-18-2013 01:00 AM

Hi ayn,

I have checked the logs and it seems your right, there are some lines that have a timestamp but it's a little different.

the timestamp format that i want only splunk to recognize is:"2013-07-18 07:47:05,720"

that other timestamp format that splunk is recognizing is:
"2013-07-18T07:46:10.4696008Z"

now i don't have access to change the logs because it is being only sent to us by a third party

is it possible for splunk to not read the other timestamp format above

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...