Hi,
I am asking if it's possible to ingest logfiles where one logline would contain a DateTime and the following lines only contain Time, until the next entry with a DateTime. If we ignore Date as a whole by using a custom time DateTime format only consisting of %H:%M:%S it's using the creation date of the file and the time pulled from the individual event. While that works without issues for files containing less than 24 hours it fails for files containing more than 24 hours of data:
### Job STARTED at 2021/09/21 00:30:00
[INFO ] 00:30:01 This is a test message
[WARN ] 01:15:01 This is a warning message
### Job STARTED at 2021/09/22 06:10:00
[INFO ] 06:10:01 This is a test message
[WARN ] 07:11:00 This is a warning message
Regards
You should be able to accomplish this in props.conf by defining your sourcetype with a combination of SHOULD_LINEMERGE=true and the supporting parameters to define how/where Splunk should break off from creating a multi-line event.
You'll just need to experiment in a test environment (or dummy index) with the settings and your actual events. I would start off with log files that contain only a few entries. Otherwise, you can potentially end up with a single event comprised of the entire file.
https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Propsconf#Line_breaking