Splunk Search

How to break a multi-line event with regex, provided that the date and time containing the milliseconds changes only at the beginning of the line.

leandromatperei
Path Finder

Hi,
I have the following log format,
How can I break this multiline event, with the condition if the date is changed only when the date containing time is at the beginning of the line.

Example: 2019-11-12T12: 51: 28.338

2019-11-12T09:51:28.291 Dbg 23058 [MsgIn] Ended defined Clients :
2019-11-12T09:51:28.338 Dbg 23055 [MsgIn]     None.
2019-11-12T09:51:28.338 Dbg 23056 [MsgIn] Scheduled Clients :
2019-11-12T09:51:28.338 Dbg 23055 [MsgIn]     None.
2019-11-12T09:51:36.154 Trc 29998 [PSDK.Timer] 
-AP[8802]->-65331 @09:51:36.0154
2019-11-12T09:51:36.154 Trc 29998 [O worker #4] 
-Ap[8802]-<-65331 @09:51:36.0154
2019-11-12T09:51:51.145 Trc 29998 [PSDK.Timer] 
-AP[4563]->-58089 @09:51:51.0145
2019-11-12T09:51:51.145 Trc 29998 [O worker #4] 
-Ap[4563]-<-58089 @09:51:51.0145
2019-11-12T09:51:53.657 Trc 29998 [PSDK.Timer] 
-AP[5040]->-59427 @09:51:53.0657
2019-11-12T09:51:53.657 Trc 29998 [O worker #3] 
-Ap[5040]-<-59427 @09:51:53.0657
Timezone UTC offset:        03:00:00
UTC Start Time:         2019-11-09T05:25:11.154
Running Time (DDD:HH:MM:SS):    003:07:26:17
UTC Time:           2019-11-12T12:51:28.338

2019-11-12T09:51:58.353 Dbg 23053 [MsgIn] Clients defined in ConfigServer :
-Ap[4564]-<-58089 @09:52:21.0160
2019-11-12T09:52:28.367 Dbg 23053 [MsgIn] Clients defined in ConfigServer :
2019-11-12T09:52:28.367 Dbg 23054 [MsgIn]     <pop-client PROD545454> enabled.
2019-11-12T09:52:28.367 Dbg 23054 [MsgIn]     <pop-client PROD545454> enabled.
2019-11-12T09:52:28.367 Dbg 23054 [MsgIn]     <pop-client PROD545454> enabled.
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try these props.conf settings:

[mysourcetype]
LINE_BREAKER = ([\r\n]+)\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d\.\d{3}
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H%:M%:S.%3N
---
If this reply helps you, Karma would be appreciated.
0 Karma

leandromatperei
Path Finder

Thanks.

How can I besides the comma also include the period?

Ex:
2019-11-18T10:44:31,949 Trc 21126 [SvcSrvW-39 ] <[33489584]> 'OMInteractions.GetInteractionContent' (request id 33489584) handling duration : 94 ms.
2019-11-18T10:44:31,949 Trc 21133 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Updating persistent object '000QPaEVQX5MWUQV' from class 'com.genesyslab.icc.api.contactserver.persistent.IndexEvent'.
2019-11-18T10:44:31,949 Dbg 09900 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Executing request: update IndexEvent set IndexEvent.IndexName=?, IndexEvent.ProcessedPri=?, IndexEvent.EventDate=?, IndexEvent.ProcessedBck=?, IndexEvent.Operation=? where (IndexEvent.Id = ?) in transaction : 422961818@txn-txn-18478985 with timeout=15
2019-11-18T10:44:31,949 Dbg 09900 [SvcSrvW-25 ] <[33489586, txn-18478990, txn-18478990]> Getting ResultSetMetaData

2019-11-12T09:51:58.353 OR 2019-11-18T10:44:31,949

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The TIME_FORMAT setting for times using comma would be %Y-%m-%dT%H%:M%:S,%3N. One cannot specify alternatives in TIME_FORMAT. To support variations in time strings. edit the DATETIME.XML file.

---
If this reply helps you, Karma would be appreciated.
0 Karma

leandromatperei
Path Finder

thanks,

And for the pattern below, what should the time format be? "2019-11-18T10:44:31,949"

2019-11-18T10:44:31,949 Trc 21126 [SvcSrvW-39 ] <[33489584]> 'OMInteractions.GetInteractionContent' (request id 33489584) handling duration : 94 ms.
2019-11-18T10:44:31,949 Trc 21133 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Updating persistent object '000QPaEVQX5MWUQV' from class 'com.genesyslab.icc.api.contactserver.persistent.IndexEvent'.
2019-11-18T10:44:31,949 Dbg 09900 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Executing reque

How can I besides the comma include the dot in timeformat?

2019-11-12T09:51:53.657 OR 2019-11-18T10:44:31,949

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...