- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to break the events by timestamp if there ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm trying to break the events by time stamps but it is networking, can anyone help me on this?
Here is the raw data:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is working fine..
LINE_BREAKER=()[\d{1,}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2}:\d{1,}\sCEST]
NO_BINARY_CHECK=true
TIME_FORMAT=%m/%d/%y %H:%M:%S:%3N
TIME_PREFIX=[
MAX_TIMESTAMP_LOOKAHEAD=128
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is working fine..
LINE_BREAKER=()[\d{1,}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2}:\d{1,}\sCEST]
NO_BINARY_CHECK=true
TIME_FORMAT=%m/%d/%y %H:%M:%S:%3N
TIME_PREFIX=[
MAX_TIMESTAMP_LOOKAHEAD=128
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your MAX_TIMESTAMP_LOOKAHEAD is way too big and inefficient; it should be 26. Also, your LINE_BREAKER should not include the timezone because that is likely to change and that will break everything. See my answer for a fully correct/optimal configuration set (except for possibly your change from some \d{2} to \d{1,}, which I would actually make \d{1,2} if it is truly necessary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Be sure to UpVote anybody that helped you get there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this in props.conf:
[<YourSourcetypeHere>]
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)\[\d{2}/\d{2}/\d{2} \d{2}:\d{2}:\d{2}
TIME_PREFIX = ^\[
TIME_FORMAT = %m/%d/%y %H:%M:%S:%3N %Z
MAX_TIMESTAMP_LOOKAHEAD = 26
If you are doing a sourcetype override/overwrite, you must use the ORIGINAL values NOT the new value, then you must deploy this to the first full instance(s) of Splunk that handles the events (usually either the HF-tier, if you use this, or your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi nareshchenchati,
sorry but I don't see your row data and it's difficoult to write the correct regex.
Anyway you have to insert the correct regexes for both the parameters
TIME_PREFIX
TIME_FORMAT
See https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Propsconf for other details.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[yoursourcetype]
SHOULD_LINEMERGE = 0
LINE_BREAKER = ([\r\n]+\s*)\[
TIME_PREFIX = \[
TIME_FORMAT = %m/%d/%y %T:%3N
EDIT: fixed year from 4 digit (%Y) to 2 digit (%y)
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
