Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to wrap a regex multiline event to form a single event until you find the date at the beginning of the interaction

leandromatperei
Path Finder
‎11-18-2019 05:10 PM

Hi,

I have the following log format,
How can I break this multiline event on condition that "2019-11-12T09: 51: 28.291" arrives.

Note that the log needs to be indexed with Local Time.

Application Name:       teste
Application Type:       teste
Application Host (config spec): teste
Application Id:         1678
Application Version:        teste
Application Backup:         teste
Application Connections:        
    teste (INTERACTION_SERVER) on teste
    teste (CONTACT_SERVER) on teste
    teste (MESSAGE_SERVER) on teste
    teste (CONFIG_SERVER) on teste
    teste (CONFIG_SERVER) on teste
Timezone Display name:      Brasilia Time
Timezone UTC offset:        03:00:00
UTC Start Time:         2019-11-09T05:25:11.154
Running Time (DDD:HH:MM:SS):    003:07:26:17
UTC Time:           2019-11-12T12:51:28.338
Local Time:             2019-11-12T09:51:28.338
Memory Usage (bytes):       306847520 / 372248576
Host Info:          Windows Server 2008 R2
Host Architecture:      amd64
OS Version:             6.1
File Encoding:          Cp1252
Start Folder:           teste
File:               teste
Java Vendor:            Oracle Corporation
Java Version:           teste
Java Home:          D:\Program Files\Java\JAVA231
Application Options: {
  { settings ['max-cnx-to-ucs' [str] = "30", 'webapi-port' [str] = "8777", 'ucs-reconnect-timeout' [str] = "80000", 'cnx-to-ucs-wait-time' [str] = "120000", 'ucs-duplex-mode' [str] = "FALSE", ]}

2019-11-12T09:51:28.291 Dbg 23058 [MsgIn] Ended defined Clients :

The log should be one line until it finds "2019-11-12T09: 51: 28.291", but must be indexed with local time, in the case "2019-11-12T09: 51: 28.338".

Tags (2)
0 Karma
Reply

darrenfuller
Contributor
‎11-19-2019 07:39 AM

I am a little confused about your line breaking question, so i am assuming a second event with the same format will follow what you have pasted in, and so the line breaker is the newline following a line that starts with a timestamp (see https://regex101.com/r/uB6tJJ/1 )...

This also uses the Local_Time as the timestamp for the event. 

[sourcetypename]
disabled = false
LINE_BREAKER = [\r\n]\s+?\d{4}\-\d{2}\-\d{2}T\d{2}\:\d{2}\:\d{2}\.\d{3}\s.+([\r\n]+)
SHOULD_LINEMERGE = false
TIME_PREFIX = Local\sTime\:\s+
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3n
MAX_TIMESTAMP_LOOKAHEAD = 25
TRUNCATE = 10000
0 Karma
Reply

sanjeev543
Communicator
‎11-18-2019 11:12 PM

Did you mean to say you need to break event every time it finds `2019-11-12T09:51:28.291 ' in your log file?
Is that time stamp going to be constant or that is going to change?
And also as I understand, you need to pick the local timestamp of indexer as _time not the time in event?
Please confirm?
Also, we appreciate , if you could provide some more sample data

0 Karma
Reply

cpatadobe
Explorer
‎11-18-2019 08:47 PM

What do you mean "The log should be one line until?" Do you mean that everything from the "Application Name:" through the line starting with the date is supposed to be the event? Or do you mean something else?

0 Karma
Reply

ansusabu
Communicator
‎11-18-2019 09:30 PM

Need more clarity on this question.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...