Getting Data In

merging data at index time or using the second date for the time stamp

kmaynard616
Engager

I have a log that looks like this:

2010/06/28 12:44:21 -

-ERROR(Version: 1.0 Buildguy from 2009-05-12 08.45.26) : 2010/06/28 12:44:21....

when I index it with the main index I get two events:

 2010/06/28 12:44:21        2010/06/28 12:44:21 -

 2009-05-12 12:44:21        -ERROR(Version: 1.0 Buildguy from 2009-05-12 08.45.26) :        
                             2010/06/28 12:44:21....

my problem here is the Date for the second event is using one from the error message not the second date which is the one I need for my timestamp.

I also tried a props.conf that looks like this:

 [I2]
 SHOULD_LINEMERGE = true
 BREAK_ONLY_BEFORE = ^\d\d/\d\d/\d\d \d\d:\d\d:\d\d -

I only get one event using this I2 index:

 2010/06/28 12:44:21        2010/06/28 12:44:21 -

Is there any way I can index this merging the Date with the error message or pull the second date from the Error message for the timestamp. I was not sure If the space between the Date and ERROR message was the problem and if it is, is there a way around this so i can merge these together.

Tags (1)

Lowell
Super Champion

I think your event merging problem would be solved with the following props.conf entry:

[I2]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^\d{4}/\d\d/\d\d \d\d:\d\d:\d\d -
BREAK_ONLY_BEFORE_DATE = False

The BREAK_ONLY_BEFORE_DATE is True by default (despite what the docs say), which can cause your issues here because multiple dates are present. (You could also potententially solve this by specifying TIME_FORMAT). Also notice that your BREAK_ONLY_BEFORE regex was incorrect. You have a 4 digit year, not a 2 digit one. The regex above should work.

If you want splunk to use your second timestamp you have a couple of options. However, the sample you provided hasn't given enough context to know for sure what comes before your second date. (Your first sample has 3 different dates, two of which are the same, and then). Does the 2nd date always occur after the word "from"? In your example the two dates are from different years, which also seems weird. (You can edit your question and add a few more lines which shoudl be enough to establish a pattern)

There are a couple of helpful docs on this topic too:

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...