Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to wrap a regex multiline event to form a single event until you find the date at the beginning of the interaction

leandromatperei
Path Finder
‎11-18-2019 05:10 PM

Hi,

I have the following log format,
How can I break this multiline event on condition that "2019-11-12T09: 51: 28.291" arrives.

Note that the log needs to be indexed with Local Time.

Application Name:       teste
Application Type:       teste
Application Host (config spec): teste
Application Id:         1678
Application Version:        teste
Application Backup:         teste
Application Connections:        
    teste (INTERACTION_SERVER) on teste
    teste (CONTACT_SERVER) on teste
    teste (MESSAGE_SERVER) on teste
    teste (CONFIG_SERVER) on teste
    teste (CONFIG_SERVER) on teste
Timezone Display name:      Brasilia Time
Timezone UTC offset:        03:00:00
UTC Start Time:         2019-11-09T05:25:11.154
Running Time (DDD:HH:MM:SS):    003:07:26:17
UTC Time:           2019-11-12T12:51:28.338
Local Time:             2019-11-12T09:51:28.338
Memory Usage (bytes):       306847520 / 372248576
Host Info:          Windows Server 2008 R2
Host Architecture:      amd64
OS Version:             6.1
File Encoding:          Cp1252
Start Folder:           teste
File:               teste
Java Vendor:            Oracle Corporation
Java Version:           teste
Java Home:          D:\Program Files\Java\JAVA231
Application Options: {
  { settings ['max-cnx-to-ucs' [str] = "30", 'webapi-port' [str] = "8777", 'ucs-reconnect-timeout' [str] = "80000", 'cnx-to-ucs-wait-time' [str] = "120000", 'ucs-duplex-mode' [str] = "FALSE", ]}

2019-11-12T09:51:28.291 Dbg 23058 [MsgIn] Ended defined Clients :

The log should be one line until it finds "2019-11-12T09: 51: 28.291", but must be indexed with local time, in the case "2019-11-12T09: 51: 28.338".

Tags (2)
0 Karma
Reply

darrenfuller
Contributor
‎11-19-2019 07:39 AM

I am a little confused about your line breaking question, so i am assuming a second event with the same format will follow what you have pasted in, and so the line breaker is the newline following a line that starts with a timestamp (see https://regex101.com/r/uB6tJJ/1 )...

This also uses the Local_Time as the timestamp for the event. 

[sourcetypename]
disabled = false
LINE_BREAKER = [\r\n]\s+?\d{4}\-\d{2}\-\d{2}T\d{2}\:\d{2}\:\d{2}\.\d{3}\s.+([\r\n]+)
SHOULD_LINEMERGE = false
TIME_PREFIX = Local\sTime\:\s+
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3n
MAX_TIMESTAMP_LOOKAHEAD = 25
TRUNCATE = 10000
0 Karma
Reply

sanjeev543
Communicator
‎11-18-2019 11:12 PM

Did you mean to say you need to break event every time it finds `2019-11-12T09:51:28.291 ' in your log file?
Is that time stamp going to be constant or that is going to change?
And also as I understand, you need to pick the local timestamp of indexer as _time not the time in event?
Please confirm?
Also, we appreciate , if you could provide some more sample data

0 Karma
Reply

cpatadobe
Explorer
‎11-18-2019 08:47 PM

What do you mean "The log should be one line until?" Do you mean that everything from the "Application Name:" through the line starting with the date is supposed to be the event? Or do you mean something else?

0 Karma
Reply

ansusabu
Communicator
‎11-18-2019 09:30 PM

Need more clarity on this question.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...