Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Split automatically 2 events when it detect two different dates in a log

royimad
Builder
‎03-27-2013 07:45 AM

I have a log generated from log4j:
an event of this log could be described by the following:

Fri Jan 04 2013 13:05:34,114 EST ERROR wavemark.webapp.interceptors.WmExceptionInterceptor - WaveMarkException occurred
wavemark.common.exceptions.WaveMarkException: Error while calling method [getReportData] in delegate [ReportSessionDelegate]
at wavemark.webapp.delegates.ReportSessionDelegate.getReportData(ReportSessionDelegate.java:52)
...multipleline
RepName, LastCabinetID, ExpectedDeliveryDate From MFR_MissingItem_RP, DB, N/A, dany.ostamdtru, null, 2013-03-06 10:58:30.974, 170, MEDTRONIC]
Query: InsertObjectQuery(wavemark.core.entities.PerformanceTiming@1d46a898)
at org.eclipse.persistence.internal.jpa.EntityManagerImpl.flush(EntityManagerImpl.java:699)

The above event contain 2 date one in the header top of the event and one on a line ( the second dates could exist or not ) depending on the stacktrace.

The Question why Splunk index this a 2 separated event and how to prevent from this to happen. I only need Splunk to consider what begin with a date as a single event.

Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎03-27-2013 08:24 AM

The default behavior is to consider a new timestamp to be a new event. You can do a couple of things:

  • Change your TIME_FORMAT to be explicit about which time stamps are the "real" ones for an event
  • Configure MAX_TIMESTAMP_LOOKAHEAD to only go "so far" into the event looking for a time stamp

If these don't work, you might have to resort to the following:

  • Turn off BREAK_ONLY_BEFORE_DATE
  • Consider turning off SHOULD_LINEMERGE, coupling it with an explicit regex in your LINE_BREAKER.

View solution in original post

Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎03-27-2013 08:24 AM

The default behavior is to consider a new timestamp to be a new event. You can do a couple of things:

  • Change your TIME_FORMAT to be explicit about which time stamps are the "real" ones for an event
  • Configure MAX_TIMESTAMP_LOOKAHEAD to only go "so far" into the event looking for a time stamp

If these don't work, you might have to resort to the following:

  • Turn off BREAK_ONLY_BEFORE_DATE
  • Consider turning off SHOULD_LINEMERGE, coupling it with an explicit regex in your LINE_BREAKER.
Reply
Solved! Jump to solution

royimad
Builder
‎04-02-2013 12:08 AM

do you think i need a LINE_BREAKER in my case?
\w{3}\s\w{3}\s\d{2}\s\d{4}\s\d{2}:\d{2}:\d{2}

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎03-29-2013 09:56 AM

Yes, you're right that it's props.conf. The stanza name will depend upon on what you have defined for the sourcetype of the data in inputs.conf. Let's say it's called "mylog4j". The stanza would then look like:

See strftime.net for hints on the format characters in TIME_FORMAT.


[mylog4j]
TIME_FORMAT = %a %b %d %Y %H:%M:%S,%3N %z
MAX_TIMESTAMP_LOOKAHEAD = 30

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎03-27-2013 08:49 AM

In the props.conf ?

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎03-27-2013 08:40 AM

Thanks for the Hint, but where should i edit this parameters? Can you give me an example?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...