Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to break the events by timestamp if there are two timestamps in every event?

nareshchenchati
Explorer
‎06-21-2019 08:39 AM

Hello,
I'm trying to break the events by time stamps but it is networking, can anyone help me on this?
Here is the raw data:

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nareshchenchati
Explorer
‎06-24-2019 01:56 AM

This is working fine..
LINE_BREAKER=()[\d{1,}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2}:\d{1,}\sCEST]
NO_BINARY_CHECK=true
TIME_FORMAT=%m/%d/%y %H:%M:%S:%3N
TIME_PREFIX=[
MAX_TIMESTAMP_LOOKAHEAD=128

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nareshchenchati
Explorer
‎06-24-2019 01:56 AM

This is working fine..
LINE_BREAKER=()[\d{1,}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2}:\d{1,}\sCEST]
NO_BINARY_CHECK=true
TIME_FORMAT=%m/%d/%y %H:%M:%S:%3N
TIME_PREFIX=[
MAX_TIMESTAMP_LOOKAHEAD=128

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-24-2019 07:48 AM

Your MAX_TIMESTAMP_LOOKAHEAD is way too big and inefficient; it should be 26. Also, your LINE_BREAKER should not include the timezone because that is likely to change and that will break everything. See my answer for a fully correct/optimal configuration set (except for possibly your change from some \d{2} to \d{1,}, which I would actually make \d{1,2} if it is truly necessary.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-24-2019 07:16 AM

Be sure to UpVote anybody that helped you get there.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-22-2019 01:11 PM

Try this in props.conf:

[<YourSourcetypeHere>]
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)\[\d{2}/\d{2}/\d{2} \d{2}:\d{2}:\d{2}
TIME_PREFIX = ^\[
TIME_FORMAT = %m/%d/%y %H:%M:%S:%3N %Z
MAX_TIMESTAMP_LOOKAHEAD  = 26

If you are doing a sourcetype override/overwrite, you must use the ORIGINAL values NOT the new value, then you must deploy this to the first full instance(s) of Splunk that handles the events (usually either the HF-tier, if you use this, or your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2019 12:52 AM

Hi nareshchenchati,
sorry but I don't see your row data and it's difficoult to write the correct regex.

Anyway you have to insert the correct regexes for both the parameters

 TIME_PREFIX
 TIME_FORMAT

See https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Propsconf for other details.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎06-21-2019 09:40 AM 
[yoursourcetype]
SHOULD_LINEMERGE = 0
LINE_BREAKER     = ([\r\n]+\s*)\[
TIME_PREFIX      = \[
TIME_FORMAT      = %m/%d/%y %T:%3N

EDIT: fixed year from 4 digit (%Y) to 2 digit (%y)

0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...