Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Group Events By timestamp

markgomez00
Explorer
‎07-11-2013 08:58 PM

Hi,

I have this log file mixed with a single and multiple line events, my problem is that splunk is breaking some multiline events, what I want to do is group the event if splunk detects a timestamp and until a new timestamp is detected it will be displayed as a one event?

what i want to happen is in this format:

[timestamp][message] //event1

[message] //event1

[message] //event1

[timestamp][message] //event2

[timestamp][message] //event3

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-12-2013 12:23 AM

This is actually the default behaviour. Splunk will break when it finds a valid timestamp. What might be happening is that Splunk finds something else that it considers to be a valid timestamp in the places within event 1 where it's breaking though it shouldn't. You can tell Splunk explicitly what time format it should be looking for by specifying TIME_FORMAT for the sourcetype in question in props.conf.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-12-2013 12:23 AM

This is actually the default behaviour. Splunk will break when it finds a valid timestamp. What might be happening is that Splunk finds something else that it considers to be a valid timestamp in the places within event 1 where it's breaking though it shouldn't. You can tell Splunk explicitly what time format it should be looking for by specifying TIME_FORMAT for the sourcetype in question in props.conf.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-18-2013 01:37 AM

Yes. Like I said, you can set TIME_FORMAT. More information on this is available here: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition

In your case the time format would be something like:

TIME_FORMAT = %Y-%m-%d %H:%M:%S
0 Karma
Reply
Solved! Jump to solution

markgomez00
Explorer
‎07-18-2013 01:00 AM

Hi ayn,

I have checked the logs and it seems your right, there are some lines that have a timestamp but it's a little different.

the timestamp format that i want only splunk to recognize is:"2013-07-18 07:47:05,720"

that other timestamp format that splunk is recognizing is:
"2013-07-18T07:46:10.4696008Z"

now i don't have access to change the logs because it is being only sent to us by a third party

is it possible for splunk to not read the other timestamp format above

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...