Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Time prefix ;
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Time prefix ;
I have events that end and start with :
orderLock;null;
2013-11-07 05:55:38.431; Log entry......
162405913;;
2013-11-07 05:55:38.431; Log entry......
;;
2013-11-07 05:55:38.431; Log entry......
I have the time strip as:
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N;
But I want to include the ; at the end of the log entry on the line before the next log entry what regex should I use with the TIME_PREFIX =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
TIME_PREFIX = [\r\n]+
Truthfully, these setting should work fine...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah Im trying to get the Event to break after the ; which is part of the previous entry.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TIME_PREFIX = \;[\r\n]+
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
blah blah blah itineraryUnLock;;
2013-11-07 06:00:20.813;baf9f8c8-efa7-4425-982e-a96179f840c6; Lots if text blah blah blah
blah blah blah LockRelease;null;
2013-11-07 06:00:20.851;ad8cd20e-ff45-49ad-8988-c1c2b9f58700; Lots if text blah blah blah
blah blah blah LockRelease;null;
2013-11-07 06:00:20.852;ad8cd21e-ff55-40ad-8990-c2c2b9f58700; Lots if text blah blah blah
blah blah blah ServerAdd;;
2013-11-07 06:00:22.442;6671762e-0a52-4c7b-aee3-69c10b261d99; Lots if text blah blah blah
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Didnt work, maybe Im not being descriptive enough. I put more log data in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a bit unclear what you want to do. Do you want the last ; on the line preceding the timestamp to be part of the same message as the timestamp? In that case it has nothing to do with the TIME_PREFIX, but rather with the line-breaking of the event stream.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
