Here is the sample log along with the line numbers mentioned ,which I am trying to upload to Splunk.
1 ) a
2 ) a1
3 ) a2
4 ) a3
5 ) a4
6 ) a5
7 ) begin script 2013-01-15 02:26:27::Status :0
8 ) RunJob ::2013-01-15 02:26:27::pmcmd Return Code=0
9 ) RunJob ::2013-01-15 02:26:27::Workflow wfFF completed Successfully..
10 ) _UpdDTID ::2013-01-15 02:30:14::Update Max Date in for JOB STREAM ID wfFF
11 ) *** Warning: EOF on INPUT stream.
12 ) *** Warning: EOF on INPUT stream.
13 ) :: .ksh::2013-01-15 02:30:15::Last Extract ID/LAST Extract DATE and SOURCEFLATFILENAME updated successfully.
14 ) *** Warning: EOF on INPUT stream.
15 ) *** Warning: EOF on INPUT stream.
16 ) ::2013-01-15 02:30:16::Completed. and updated successfully.
17 ) ::2013-01-15 02:30:16::Removing the session specific Temp file
18 ) ::2013-01-15 02:30:16::Successfully removed Temp file
19 ) ::2013-01-15 02:30:16::End processing for workflow wfFF
20 ) ### Command completed.
For the first 6 lines splunk assigned the timestamp when it is getting indexed and for the rest it is taking from the log data.
Need the first 6 lines also merged with the second event so that it will get the timestamp from the log.
Thanks in advance.
You may be able to coerce those first lines into the next event by fiddling with the TIME_PREFIX value in props.conf - I didn't test that for this log though, just give it a go.
In essence you're telling splunk where to start looking for a timestamp, you can set these either manually in props.conf or in the preview for new data inputs - the latter is likely the better option for you.