Re: Timestamp file breakup

kmm2 · ‎07-19-2024

get-brokersession is run via powershell and sent to a txt file. The information is getting into splunk however, every line that has a date and time in it the event is killed and a new event begins with the next line in splunk. Is there a way just to have the txt file to be ingested into splunk without it chopping up the file every time it come to a timestamp in the log?

deepakc · ‎07-19-2024

Splunk is all about time series data, so you can search data/events using various times etc, so what this means, you need to ensure you have well formatted logs with a time stamp, which is what Splunk loves and try's to break the events based on the timestamp.

Splunk has the capability to auto detect most common log formats and timestamps, but this is not best practice for custom logs, its better to ensure you parse and format the timestamp correctly.

As you have a custom log file it looks , you will need to create a new sourcetype for it and apply props and transforms configuration to it, which will then parse and ensure the time stamp is correct.

First try and understand the props concepts and apply that to your log file, it will requires some props code trial and error, until your get it to work as expected.

Start here:

https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Improving_data_onboarding_wi...

Timestamp file breakup

time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation