Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to break a multi-line event with regex, provided that the date and time containing the milliseconds changes only at the beginning of the line.

leandromatperei
Path Finder
‎11-15-2019 04:54 AM

Hi,
I have the following log format,
How can I break this multiline event, with the condition if the date is changed only when the date containing time is at the beginning of the line.

Example: 2019-11-12T12: 51: 28.338

2019-11-12T09:51:28.291 Dbg 23058 [MsgIn] Ended defined Clients :
2019-11-12T09:51:28.338 Dbg 23055 [MsgIn]     None.
2019-11-12T09:51:28.338 Dbg 23056 [MsgIn] Scheduled Clients :
2019-11-12T09:51:28.338 Dbg 23055 [MsgIn]     None.
2019-11-12T09:51:36.154 Trc 29998 [PSDK.Timer] 
-AP[8802]->-65331 @09:51:36.0154
2019-11-12T09:51:36.154 Trc 29998 [O worker #4] 
-Ap[8802]-<-65331 @09:51:36.0154
2019-11-12T09:51:51.145 Trc 29998 [PSDK.Timer] 
-AP[4563]->-58089 @09:51:51.0145
2019-11-12T09:51:51.145 Trc 29998 [O worker #4] 
-Ap[4563]-<-58089 @09:51:51.0145
2019-11-12T09:51:53.657 Trc 29998 [PSDK.Timer] 
-AP[5040]->-59427 @09:51:53.0657
2019-11-12T09:51:53.657 Trc 29998 [O worker #3] 
-Ap[5040]-<-59427 @09:51:53.0657
Timezone UTC offset:        03:00:00
UTC Start Time:         2019-11-09T05:25:11.154
Running Time (DDD:HH:MM:SS):    003:07:26:17
UTC Time:           2019-11-12T12:51:28.338

2019-11-12T09:51:58.353 Dbg 23053 [MsgIn] Clients defined in ConfigServer :
-Ap[4564]-<-58089 @09:52:21.0160
2019-11-12T09:52:28.367 Dbg 23053 [MsgIn] Clients defined in ConfigServer :
2019-11-12T09:52:28.367 Dbg 23054 [MsgIn]     <pop-client PROD545454> enabled.
2019-11-12T09:52:28.367 Dbg 23054 [MsgIn]     <pop-client PROD545454> enabled.
2019-11-12T09:52:28.367 Dbg 23054 [MsgIn]     <pop-client PROD545454> enabled.
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2019 05:02 AM

Try these props.conf settings:

[mysourcetype]
LINE_BREAKER = ([\r\n]+)\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d\.\d{3}
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H%:M%:S.%3N
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

leandromatperei
Path Finder
‎11-18-2019 06:48 AM

Thanks.

How can I besides the comma also include the period?

Ex:
2019-11-18T10:44:31,949 Trc 21126 [SvcSrvW-39 ] <[33489584]> 'OMInteractions.GetInteractionContent' (request id 33489584) handling duration : 94 ms.
2019-11-18T10:44:31,949 Trc 21133 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Updating persistent object '000QPaEVQX5MWUQV' from class 'com.genesyslab.icc.api.contactserver.persistent.IndexEvent'.
2019-11-18T10:44:31,949 Dbg 09900 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Executing request: update IndexEvent set IndexEvent.IndexName=?, IndexEvent.ProcessedPri=?, IndexEvent.EventDate=?, IndexEvent.ProcessedBck=?, IndexEvent.Operation=? where (IndexEvent.Id = ?) in transaction : 422961818@txn-txn-18478985 with timeout=15
2019-11-18T10:44:31,949 Dbg 09900 [SvcSrvW-25 ] <[33489586, txn-18478990, txn-18478990]> Getting ResultSetMetaData

2019-11-12T09:51:58.353 OR 2019-11-18T10:44:31,949

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2019 04:43 AM

The TIME_FORMAT setting for times using comma would be %Y-%m-%dT%H%:M%:S,%3N. One cannot specify alternatives in TIME_FORMAT. To support variations in time strings. edit the DATETIME.XML file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

leandromatperei
Path Finder
‎11-18-2019 06:45 AM

thanks,

And for the pattern below, what should the time format be? "2019-11-18T10:44:31,949"

2019-11-18T10:44:31,949 Trc 21126 [SvcSrvW-39 ] <[33489584]> 'OMInteractions.GetInteractionContent' (request id 33489584) handling duration : 94 ms.
2019-11-18T10:44:31,949 Trc 21133 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Updating persistent object '000QPaEVQX5MWUQV' from class 'com.genesyslab.icc.api.contactserver.persistent.IndexEvent'.
2019-11-18T10:44:31,949 Dbg 09900 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Executing reque

How can I besides the comma include the dot in timeformat?

2019-11-12T09:51:53.657 OR 2019-11-18T10:44:31,949

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...