Hi
In my search table are some multible events with one timestamp.
I need to split them.
Does somebody has any idea?
Thanks in advance for your help
Hi
Tanks for all your replys.
@ITWhisperer well thats right but i cant see the single logs in my table because of the same time stamp.
@s2_splunk my table should seperate all single logs for my dashboard. Maybe it helps if i say i need to improve the timestamps f.e. toady:05:45:03.624 --> 05:45:03.624xxxx you know what i mean?
@m_pham i will try it give me a moment 🙂
My goal is it to display the search on my dashboard for my firewall guys. they want a global view of the genugate (btw the 2 firewalls log with one IP because there is only one page for the config)
This "global table" is for alarming and counting events.
The next step is to split both logs for seperate detail searches (each firewall with there own table).
I hope you understand my plan, sorry for my simple broken english 🙂
ah maybe its important to say
my setupup is a Index Cluster (3 indexer)
Hi - you have multiple events with the same timestamp because Splunk line break the events to every new line from the log you are ingesting (syslog). They all have the same timestamp because Splunk extracted those timestamps from the timestamp within the log itself - in your example: %Y-%m-%dT%H:%M:%S.%QZ
Can you post the Splunk search you are using in the screenshot for the results you posted? Also can you clarify more on what you are trying to achieve?
On another note - you have to make sure you have these configurations at index time when you want the event to have the correct timestamp:
props.conf
[custom:sourcetype]
TIME_PREFIX =
MAX_TIMESTAMP_LOOKAHEAD =
TIME_FORMAT =
If the time zone in your log is different than what is on the server parsing the logs (HF/IDX), then set this to match the timezone in the log (which appears to be in UTC it looks like in your case).
TZ = UTC
I'd try to set a unique sourcetype for the syslog data you are ingesting as to not override any of the default "syslog" sourcetype configs.
Overall - it's best practice to have these configurations for any logs to prevent Splunk from guessing the line breaking and timestamp.
TIME_PREFIX =
MAX_TIMESTAMP_LOOKAHEAD =
TIME_FORMAT =
SHOULD_LINEMERGE = false
LINE_BREAKER =
# Default is 10,000 but you can set higher if your log exceeds this
TRUNCATE = 10000
Sorry
dont work this way for me.
there are these empty table slots with two or more entries behind (same time stamp)
maybe u got any other ideas?
In your example, you see empty values for some rows, because the one of the three events with the same timestamp has a different message format than the other two and does not contain the same fields (e.g. baddr).
I think we can help better if you let us know what your expected outcome/report should look like.
What do you mean by "split them", they are already separate events? Or, do you just want to extract fields from them? Or, do you want to tag them so they have unique ids? (Consider streamstats count as row optionally with by _time).