Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to group a multi-regex event to form a single event until you find the date only at the beginning of the interaction

leandromatperei
Path Finder
‎02-11-2020 03:35 AM

Hi,

I have the following log format,

How can I break this multiline event on condition that "2020-01-23 03:50:49,063" arrives.

Note that the log needs to be indexed with Local Time.

//******************************************************************************************************
//  Module              : teste 6.15.0001.77
//  Local Time          : 23/01/2020 03:50:48.985 (Daylight Saving Time=Off)
//  System Time (UTC)   : 23/01/2020 06:50:48.985
// 
//  Domain Name         : itau.corp.ihf
// 
//  32/64 Bit           : 64 Bit
// 
//  Module Name, File Version, Modification Date:
//  ----------------------------------------------------------------------------------------------------
//  teste.exe, 6.15.0001.77, 05/08/2019 19:58:36
// 
//******************************************************************************************************

2020-01-23 03:50:49,063 | INFO  | 4 | testeService.OnStart |  | teste | testeService.OnStart: Log Client initialized successfully. 
2020-01-23 03:50:49,094 | INFO  | 4 | testeService.OnStart |  | teste | testeService.OnStart: Trying to load teste modules... 
2020-01-23 03:50:49,610 | INFO  | 15 | ServiceHost |  | teste | testeService.HandleServiceHostLogEvent: Going to register WCF teste 
2020-01-23 03:50:53,391 | INFO  | 15 | ServiceHost |  | teste | testeService.HandleServiceHostLogEvent: Config file already defines ServiceModel configuration, for service teste. Trying to load updated configuration and combine (for Accessible mode only!)... 
2020-01-23 03:50:53,485 | INFO  | 15 | ServiceHost |  | teste | testeService.HandleServiceHostLogEvent: Finished writing updated ServiceModel configuration to config file, for service teste. 
2020-01-23 03:50:53,813 | INFO  | 15 | ServiceHost |  | teste | testeService.HandleServiceHostLogEvent: << All WCF services succeeded to publish. took: 00:00:00.3281398 

In this example, the log should be broken into 06 lines, considering the log "2020-01-23 03: 50: 49,063" as the beginning.

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2020 06:59 AM

Normal processing should handle that. Try these specific props.conf settings.

[mysourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
LINE_BREAKER = ([\r\n]+)
SEDCMD-nocomments = s/^\/\/.*$//g
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...