In a log file, I have a section which is something similar as below:
Description: DELL HOME COMPUTER
MFG-On: 2012-10-11 08:07:36
From the above lines in the log file, I would like to identify,
for a particular part number (in this case 12345-678),
if the serial number lies with a range (in this case if the 3 digits after the first 3 characters lies with 110 & 150)
if MFG-on is earlier to 12th Dec 2012
then raise an alert
I am a beginer in splunk and would like to have some guidance.
Thank you for your prompt response.
The log file has both events based on timestamp and configuration section.
Can we use what you suggested just for the configuration section and use time stamp for rest of the log?
Or do you recommend 2 different queries - one for parsing the time stamp and other for parsing the configuration section?
With Best Wishes,
You need to know if these lines from this log file are a single event or not. Splunk can easily read in multi-line events and it would not matter if the data you are looking for is in separate lines of the event or not.
Splunk's default configuration is to merge lines from a file into multi-line events, using the discovery of a timestamp in a line as the hint that a prior event is over and a new one has begun. If your log file has no other timestamp than the "MFG-ON" line you show, this may not be what you want.
In this case, I would probably suggest a custom
LINE_BREAKER to make sure your multiple lines are correctly parsed into a single event. Then your search is easy. How to configure line breaking is covered in the Splunk Docs at http://docs.splunk.com/Documentation/Splunk/5.0.4/Data/Indexmulti-lineevents