Splunk Search

one timestamp multi events

gotarr
Explorer

Hi

In my search table are some multible events with one timestamp.

I need to split them.

Does somebody has any idea?

Thanks in advance for your helpsearch.PNGtable.PNG

Labels (2)
0 Karma

gotarr
Explorer

Hi

Tanks for all your replys.

@ITWhisperer  well thats right but i cant see the single logs in my table because of the same time stamp.

@s2_splunk my table should seperate all single logs for my dashboard. Maybe it helps if i say i need to improve the timestamps f.e. toady:05:45:03.624 --> 05:45:03.624xxxx  you know what i mean?

@m_pham i will try it give me a moment 🙂

 

My goal is it to display the search on my dashboard for my firewall guys. they want a global view of the genugate (btw the 2 firewalls log with one IP because there is only one page for the config)
This "global table" is for alarming and counting events.

The next step is to split both logs for seperate detail searches (each firewall with there own table).

I hope you understand my plan, sorry for my simple broken english 🙂

suche.PNGtable2.PNG

0 Karma

gotarr
Explorer

ah maybe its important to say 

my setupup is a Index Cluster (3 indexer) 

0 Karma

m_pham
Splunk Employee
Splunk Employee

Hi - you have multiple events with the same timestamp because Splunk line break the events to every new line from the log you are ingesting (syslog). They all have the same timestamp because Splunk extracted those timestamps from the timestamp within the log itself - in your example: %Y-%m-%dT%H:%M:%S.%QZ

Can you post the Splunk search you are using in the screenshot for the results you posted? Also can you clarify more on what you are trying to achieve?

On another note - you have to make sure you have these configurations at index time when you want the event to have the correct timestamp:

props.conf

[custom:sourcetype]

TIME_PREFIX =
MAX_TIMESTAMP_LOOKAHEAD =
TIME_FORMAT =

If the time zone in your log is different than what is on the server parsing the logs (HF/IDX), then set this to match the timezone in the log (which appears to be in UTC it looks like in your case). 

TZ = UTC

I'd try to set a unique sourcetype for the syslog data you are ingesting as to not override any of the default "syslog" sourcetype configs.

Overall - it's best practice to have these configurations for any logs to prevent Splunk from guessing the line breaking and timestamp. 

TIME_PREFIX =
MAX_TIMESTAMP_LOOKAHEAD =
TIME_FORMAT =
SHOULD_LINEMERGE = false
LINE_BREAKER =

# Default is 10,000 but you can set higher if your log exceeds this
TRUNCATE = 10000

 

 

gotarr
Explorer

Sorry

dont work this way for me.

there are these empty table slots with two or more entries behind (same time stamp)

 

maybe u got any other ideas?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

In your example, you see empty values for some rows, because the one of the three events with the same timestamp has a different message format than the other two and does not contain the same fields (e.g. baddr). 

I think we can help better if you let us know what your expected outcome/report should look like.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you mean by "split them", they are already separate events? Or, do you just want to extract fields from them? Or, do you want to tag them so they have unique ids? (Consider streamstats count as row optionally with by _time).

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...