Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

_time need to be pick from log middle entry

snehal8
Path Finder
‎09-29-2021 07:47 AM

Hello All,

Can any one help me on this event injection in Splunk.

 

sample data

122.0.0.2 NOT_AVAILABLE abc Agent= 2021-09-27 11:15:39 5648 WARN xyz
NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE 2021-09-27 11:16:08 5432 DEBUG Field: xyz
- value: ID
- unformatted value: vvcsa
- formatted value: abcsc
- returnType:
- boost: 1
- append: False

 

Here it have to be two events with respective date time.

 

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

snehal8
Path Finder
‎09-29-2021 09:47 AM

Thank you for the reply.

 

The event should be broken by follows

1st Event 

122.0.0.2 NOT_AVAILABLE abc Agent= 2021-09-27 11:15:39 5648 WARN xyz

 

2nd Event

NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE NOT_AVAILABLE 2021-09-27 11:16:08 5432 DEBUG Field: xyz
- value: ID
- unformatted value: vvcsa
- formatted value: abcsc
- returnType:
- boost: 1
- append: False

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2021 12:04 PM

I presume "NOT_AVAILABLE" represents sensitive data that can't be shared in a public forum.  Regrettably, this method of sanitization makes it rather difficult to create a regex that Splunk can use to split events.  Can you sanitize the data another way?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

snehal8
Path Finder
‎09-30-2021 01:59 AM

whenever there is no data in logs its represent as "NOT_AVAILABLE" entry. 

Please do consider this in regex as well. 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2021 05:17 AM

So the event could contain "NOT_AVAILABLE" or it could contain anything else, right?  That's makes it nearly impossible to define a rule for separating events.  I'm not sure I can help here.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

snehal8
Path Finder
‎09-30-2021 07:20 AM

Its can contain the IP address or if its empty then it contain "NOT_AVAILABLE".

Please do let me know if it help.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2021 08:40 AM

Please show where the event should be broken.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...