Splunk Search

Handling events with DateTime or just Time in same sourcetpye

sini
Explorer

Hi,

I am asking if it's possible to ingest logfiles where one logline would contain a DateTime and the following lines only contain Time, until the next entry with a DateTime. If we ignore Date as a whole by using a custom time DateTime format only consisting of %H:%M:%S it's using the creation date of the file and the time pulled from the individual event. While that works without issues for files containing less than 24 hours it fails for files containing more than 24 hours of data:

### Job STARTED at 2021/09/21 00:30:00
[INFO ] 00:30:01 This is a test message
[WARN ] 01:15:01 This is a warning message
### Job STARTED at 2021/09/22 06:10:00
[INFO ] 06:10:01 This is a test message
[WARN ] 07:11:00 This is a warning message

Regards

 

Labels (1)
Tags (1)
0 Karma

codebuilder
Influencer

You should be able to accomplish this in props.conf by defining your sourcetype with a combination of SHOULD_LINEMERGE=true and the supporting parameters to define how/where Splunk should break off from creating a multi-line event.

You'll just need to experiment in a test environment (or dummy index) with the settings and your actual events. I would start off with log files that contain only a few entries. Otherwise, you can potentially end up with a single event comprised of the entire file.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Propsconf#Line_breaking

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...