Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk Group Events By timestamp
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have this log file mixed with a single and multiple line events, my problem is that splunk is breaking some multiline events, what I want to do is group the event if splunk detects a timestamp and until a new timestamp is detected it will be displayed as a one event?
what i want to happen is in this format:
[timestamp][message] //event1
[message] //event1
[message] //event1
[timestamp][message] //event2
[timestamp][message] //event3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is actually the default behaviour. Splunk will break when it finds a valid timestamp. What might be happening is that Splunk finds something else that it considers to be a valid timestamp in the places within event 1 where it's breaking though it shouldn't. You can tell Splunk explicitly what time format it should be looking for by specifying TIME_FORMAT for the sourcetype in question in props.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is actually the default behaviour. Splunk will break when it finds a valid timestamp. What might be happening is that Splunk finds something else that it considers to be a valid timestamp in the places within event 1 where it's breaking though it shouldn't. You can tell Splunk explicitly what time format it should be looking for by specifying TIME_FORMAT for the sourcetype in question in props.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Like I said, you can set TIME_FORMAT. More information on this is available here: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition
In your case the time format would be something like:
TIME_FORMAT = %Y-%m-%d %H:%M:%S
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ayn,
I have checked the logs and it seems your right, there are some lines that have a timestamp but it's a little different.
the timestamp format that i want only splunk to recognize is:"2013-07-18 07:47:05,720"
that other timestamp format that splunk is recognizing is:
"2013-07-18T07:46:10.4696008Z"
now i don't have access to change the logs because it is being only sent to us by a third party
is it possible for splunk to not read the other timestamp format above
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
