Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Split automatically 2 events when it detect two different dates in a log

royimad
Builder
‎03-27-2013 07:45 AM

I have a log generated from log4j:
an event of this log could be described by the following:

Fri Jan 04 2013 13:05:34,114 EST ERROR wavemark.webapp.interceptors.WmExceptionInterceptor - WaveMarkException occurred
wavemark.common.exceptions.WaveMarkException: Error while calling method [getReportData] in delegate [ReportSessionDelegate]
at wavemark.webapp.delegates.ReportSessionDelegate.getReportData(ReportSessionDelegate.java:52)
...multipleline
RepName, LastCabinetID, ExpectedDeliveryDate From MFR_MissingItem_RP, DB, N/A, dany.ostamdtru, null, 2013-03-06 10:58:30.974, 170, MEDTRONIC]
Query: InsertObjectQuery(wavemark.core.entities.PerformanceTiming@1d46a898)
at org.eclipse.persistence.internal.jpa.EntityManagerImpl.flush(EntityManagerImpl.java:699)

The above event contain 2 date one in the header top of the event and one on a line ( the second dates could exist or not ) depending on the stacktrace.

The Question why Splunk index this a 2 separated event and how to prevent from this to happen. I only need Splunk to consider what begin with a date as a single event.

Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎03-27-2013 08:24 AM

The default behavior is to consider a new timestamp to be a new event. You can do a couple of things:

  • Change your TIME_FORMAT to be explicit about which time stamps are the "real" ones for an event
  • Configure MAX_TIMESTAMP_LOOKAHEAD to only go "so far" into the event looking for a time stamp

If these don't work, you might have to resort to the following:

  • Turn off BREAK_ONLY_BEFORE_DATE
  • Consider turning off SHOULD_LINEMERGE, coupling it with an explicit regex in your LINE_BREAKER.

View solution in original post

Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎03-27-2013 08:24 AM

The default behavior is to consider a new timestamp to be a new event. You can do a couple of things:

  • Change your TIME_FORMAT to be explicit about which time stamps are the "real" ones for an event
  • Configure MAX_TIMESTAMP_LOOKAHEAD to only go "so far" into the event looking for a time stamp

If these don't work, you might have to resort to the following:

  • Turn off BREAK_ONLY_BEFORE_DATE
  • Consider turning off SHOULD_LINEMERGE, coupling it with an explicit regex in your LINE_BREAKER.
Reply
Solved! Jump to solution

royimad
Builder
‎04-02-2013 12:08 AM

do you think i need a LINE_BREAKER in my case?
\w{3}\s\w{3}\s\d{2}\s\d{4}\s\d{2}:\d{2}:\d{2}

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎03-29-2013 09:56 AM

Yes, you're right that it's props.conf. The stanza name will depend upon on what you have defined for the sourcetype of the data in inputs.conf. Let's say it's called "mylog4j". The stanza would then look like:

See strftime.net for hints on the format characters in TIME_FORMAT.


[mylog4j]
TIME_FORMAT = %a %b %d %Y %H:%M:%S,%3N %z
MAX_TIMESTAMP_LOOKAHEAD = 30

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎03-27-2013 08:49 AM

In the props.conf ?

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎03-27-2013 08:40 AM

Thanks for the Hint, but where should i edit this parameters? Can you give me an example?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...