Timestamp on one event determines subsequent line ...

rasingh · ‎04-02-2011

I want to index log events from RMAN backup log. This log has a log event per line but each line may not have a timestamp. It looks like the example below:

Line event entry 1 at <TIMESTAMP1>
Line event entry 2
Line event entry 3
Line event entry 4 at <TIMESTAMP2>
Line event entry 5

How do I use the first read timestamp to be the timestamp for each subsequent event until a new timestamp is read?

Using the example above, TIMESTAMP1 would be the timestamp for Line event entries 1 thru 3 while TIMESTAMP2 would be the timestamp for Line event entries 4 & 5.

I think is the best way to handle the Oracle RMAN backup log unless someone has done better/differently before.

rasingh · ‎02-02-2012

After testing this sample log file in Splunk, I found out Splunk already does that automatically.

Timestamp on one event determines subsequent line events in RMAN backup

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Timestamp on one event determines subsequent line events in RMAN backup

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem