Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

merging data at index time or using the second date for the time stamp

kmaynard616
Engager
‎06-29-2010 03:06 AM

I have a log that looks like this:

2010/06/28 12:44:21 -

-ERROR(Version: 1.0 Buildguy from 2009-05-12 08.45.26) : 2010/06/28 12:44:21....

when I index it with the main index I get two events:

 2010/06/28 12:44:21        2010/06/28 12:44:21 -

 2009-05-12 12:44:21        -ERROR(Version: 1.0 Buildguy from 2009-05-12 08.45.26) :        
                             2010/06/28 12:44:21....

my problem here is the Date for the second event is using one from the error message not the second date which is the one I need for my timestamp.

I also tried a props.conf that looks like this:

 [I2]
 SHOULD_LINEMERGE = true
 BREAK_ONLY_BEFORE = ^\d\d/\d\d/\d\d \d\d:\d\d:\d\d -

I only get one event using this I2 index:

 2010/06/28 12:44:21        2010/06/28 12:44:21 -

Is there any way I can index this merging the Date with the error message or pull the second date from the Error message for the timestamp. I was not sure If the space between the Date and ERROR message was the problem and if it is, is there a way around this so i can merge these together.

Tags (1)
Reply

Lowell
Super Champion
‎06-29-2010 03:21 PM

I think your event merging problem would be solved with the following props.conf entry:

[I2]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^\d{4}/\d\d/\d\d \d\d:\d\d:\d\d -
BREAK_ONLY_BEFORE_DATE = False

The BREAK_ONLY_BEFORE_DATE is True by default (despite what the docs say), which can cause your issues here because multiple dates are present. (You could also potententially solve this by specifying TIME_FORMAT). Also notice that your BREAK_ONLY_BEFORE regex was incorrect. You have a 4 digit year, not a 2 digit one. The regex above should work.

If you want splunk to use your second timestamp you have a couple of options. However, the sample you provided hasn't given enough context to know for sure what comes before your second date. (Your first sample has 3 different dates, two of which are the same, and then). Does the 2nd date always occur after the word "from"? In your example the two dates are from different years, which also seems weird. (You can edit your question and add a few more lines which shoudl be enough to establish a pattern)

There are a couple of helpful docs on this topic too:

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...