Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In a log with multiple date fields in different formats, how to create a custom histogram with the date of my choice?

chrisboy68
Contributor
‎01-12-2015 01:59 PM

Hi, I have an unstructured log like below. In the histogram, the events are getting confused and I suspect it's because of the multiple Date fields in different formats. How can I configure a custom histogram to include the event in between the tags and just be one of the dates (of my choice). Thank you!

For some reason I cant embed XML start and end tags in the forum. Updated below.

Chris

tagxml
Jan 12 16:43:37 10.160.82.29
Date: 2015-01-12T16:43:00-0500
Date: 1/12/2015 4:43 PM
Server: My Server
Error Message : My Error Message
tagxml

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-13-2015 10:13 AM

For the file clip that you have above, you could start with the following sourcetype definition:

In inputs.conf at the source of the data:

[monitor://pathtothisfile]
sourcetype=mySourceType

There! You just created a sourcetype! In props.conf on the indexer, you define how the sourcetype is parsed:

[mySourceType]
SHOULD_LINEMERGE=true
TRUNCATE=0
BREAK_ONLY_BEFORE = \<tagxmlforbeginningofevent\>
MAX_EVENTS =512
TIME_PREFIX = \<xmltagjustbeforethedateyouwant\>\s*
MAX_TIMESTAMP_LOOKAHEAD=25

I don't know if these settings are exactly right for your file, but it should be pretty close. You can look at the definition of props.conf in the manual for info on each setting. TIME_PREFIX is important because it identifies the character string just before the timestamp that you want. MAX_TIMESTAMP_LOOKAHEAD is needed to say "after you find the prefix, just look at the next 25 characters to find the timestamp." This prevents Splunk from continuing to scan the event looking for other possible timestamps.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-13-2015 10:13 AM

For the file clip that you have above, you could start with the following sourcetype definition:

In inputs.conf at the source of the data:

[monitor://pathtothisfile]
sourcetype=mySourceType

There! You just created a sourcetype! In props.conf on the indexer, you define how the sourcetype is parsed:

[mySourceType]
SHOULD_LINEMERGE=true
TRUNCATE=0
BREAK_ONLY_BEFORE = \<tagxmlforbeginningofevent\>
MAX_EVENTS =512
TIME_PREFIX = \<xmltagjustbeforethedateyouwant\>\s*
MAX_TIMESTAMP_LOOKAHEAD=25

I don't know if these settings are exactly right for your file, but it should be pretty close. You can look at the definition of props.conf in the manual for info on each setting. TIME_PREFIX is important because it identifies the character string just before the timestamp that you want. MAX_TIMESTAMP_LOOKAHEAD is needed to say "after you find the prefix, just look at the next 25 characters to find the timestamp." This prevents Splunk from continuing to scan the event looking for other possible timestamps.

Reply
Solved! Jump to solution

chrisboy68
Contributor
‎01-13-2015 11:53 AM

Perfect, ok now i figured out where to read and put my regex's in . Thank you,

Chris

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎01-15-2015 11:20 AM

GACK!! I put SHOULD_LINEMERGE=false in my original answer and it should have been SHOULD_LINEMERGE=true

I fixed the answer!

Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎01-13-2015 06:36 AM

While I or someone may have an answer to this specifically, I'd like to know a bit more regarding "the events are getting confused". From looking at this data and reading your post, there may be a "better" way to fix this by cleaning up how the data is interpreted when input. Can you explain a bit better?

Reply
Solved! Jump to solution

chrisboy68
Contributor
‎01-13-2015 06:44 AM

I have two date fields named "Date" in one event. Example below

Date: 2015-01-13T09:28:00-0500
Date: 1/13/2015 9:28 AM
multi line log entry
stuff
stuff

I get one event as "Date: 2015-01-13T09:28:00-0500" and thats it, the rest of the payload of the log is not there. There is another event "Date: 1/13/2015 9:28 AM" that has the payload of the log.

Thanks for your help!

Chris

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎01-13-2015 07:08 AM

Thats exactly what @rich7177 was going to tell you. Splunk recognized two events, while you only want it to be one event. What you can do is to tell splunk which of those two dates is the one you want to specify for your events, and as rich7177 said, this has to be done while indexing. You indexed those events under a certain sourcetype, you have to adjust this sourcetype, so it breaks events at the occurence of the first date. Therefore, you will need to tell splunk the format of your date. If you are not that experienced, this is done best with the preview feature.

Reply
Solved! Jump to solution

chrisboy68
Contributor
‎01-13-2015 07:33 AM

Thanks. Can you give me a hint where I would set up the custom format for a specific source type? I can read docs from there.

Thank you,

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...