Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

_time need to be pick from log middle entry

snehal8
Path Finder
‎09-29-2021 07:47 AM

Hello All,

Can any one help me on this event injection in Splunk.

 

sample data

122.0.0.2 NOT_AVAILABLE abc Agent= 2021-09-27 11:15:39 5648 WARN xyz
NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE 2021-09-27 11:16:08 5432 DEBUG Field: xyz
- value: ID
- unformatted value: vvcsa
- formatted value: abcsc
- returnType:
- boost: 1
- append: False

 

Here it have to be two events with respective date time.

 

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

snehal8
Path Finder
‎09-29-2021 09:47 AM

Thank you for the reply.

 

The event should be broken by follows

1st Event 

122.0.0.2 NOT_AVAILABLE abc Agent= 2021-09-27 11:15:39 5648 WARN xyz

 

2nd Event

NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE 2021-09-27 11:16:08 5432 DEBUG Field: xyz
- value: ID
- unformatted value: vvcsa
- formatted value: abcsc
- returnType:
- boost: 1
- append: False

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2021 12:04 PM

I presume "NOT_AVAILABLE" represents sensitive data that can't be shared in a public forum.  Regrettably, this method of sanitization makes it rather difficult to create a regex that Splunk can use to split events.  Can you sanitize the data another way?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

snehal8
Path Finder
‎09-30-2021 01:59 AM

whenever there is no data in logs its represent as "NOT_AVAILABLE" entry. 

Please do consider this in regex as well. 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2021 05:17 AM

So the event could contain "NOT_AVAILABLE" or it could contain anything else, right?  That's makes it nearly impossible to define a rule for separating events.  I'm not sure I can help here.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

snehal8
Path Finder
‎09-30-2021 07:20 AM

Its can contain the IP address or if its empty then it contain "NOT_AVAILABLE".

Please do let me know if it help.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2021 08:40 AM

Please show where the event should be broken.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...