Building for the Splunk Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multiple timestamps in a file

sandysplunker
Loves-to-Learn Lots
‎01-14-2021 08:07 AM

Hi,

I am trying to break the events based on the timestamp. 

File contains multiple time formats. 

sample Time stamps: 

01 January 2021 10:21:66
2021年01月01日 金曜日 10:07:54 AM
2021年01月01日 金曜日 14:54:03
2021年01月01日 12:55:54 PM
2021年01月01日 13:54:54
2021年1月1日 20:59:04
2021年1月1日 9:23:32 AM
金曜日, 3 1月 2021 11:49:45 AM
Monday 3 January 2021 14:01:40
Monday, 3 January 2021 11:05:11 AM
Monday, January 3, 2021 10:04:44 AM
Thu Jan 7 22:33:44 EST 2021

Sample events:

07 January 2021 18:21:56


Employee1


Project Project Name Project Owner
------ ---------- -----------
A Y: \\Owner1\owner2
B Z: \\owner_1\owner 2
C g: \\owner11\owner12\owner 13

Friday, January 8, 2021 10:04:44 AM


Employee2


Project Project Name Project Owner
------ ---------- -----------
A Y: \\Owner1\owner2
B Z: \\owner_1\owner 2
C g: \\owner11\owner12\owner 13

2021年01月08日 金曜日 10:07:54 AM

 

Employee3


Project Project Name Project Owner
------ ---------- -----------
A Y: \\Owner1\owner2
B Z: \\owner_1\owner 2
C g: \\owner11\owner12\owner 13

I tried with datetime.xml but it didn't work. 

Expected output:

Break events before timestamp and show results in the below tabular format.

Employee1 A Y: \\Owner1\owner2
Employee1 B Z: \\owner_1\owner 2
Employee1 C g: \\owner11\owner12\owner 13

Labels (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2021 02:50 PM

try (?m)

LINE_BREAKER=(?m)([\r\n]+).*\d\d\:\d\d\:\d\d($| [AP]M| \w{3} \d{4})

0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2021 05:15 AM

in props.conf:

LINE_BREAKER = ([\r\n]+).*\d\d\:\d\d\:\d\d($| [AP]M| \w{3} \d{4})

After that, please rex it.

 

0 Karma
Reply

sandysplunker
Loves-to-Learn Lots
‎01-15-2021 07:45 AM

I tried mentioned props but below events are excluded.


2021年01月08日 金曜日 10:07:54 AM

 

Employee3


Project Project Name Project Owner
------ ---------- -----------
A Y: \\Owner1\owner2
B Z: \\owner_1\owner 2
C g: \\owner11\owner12\owner 13

0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2021 12:11 PM

Of course.
SHOULD_LINEMERGE = false
right?

sample:

 

 

sourcetype=your_sourcetype
| rex "(?m)(?<employee>^\w+$)"
| rex "(?ms)----$\s(?<csv>.*)"
| rex field=csv max_match=0 "(?m)(?<project>\S+)\s(?<project_name>\S+)\s(?<project_owner>.*)"
| table employee project*

 

 

0 Karma
Reply

sandysplunker
Loves-to-Learn Lots
‎01-15-2021 02:17 PM


Yes, still events are not breakings before timestamp. 

sandysplunker_0-1610747944774.png

 

 

Sample time formats in my log data:

01 January 2021 10:21:66
2021年01月01日 金曜日 10:07:54 AM
2021年01月01日 金曜日 14:54:03
2021年01月01日 12:55:54 PM
2021年01月01日 13:54:54
2021年1月1日 20:59:04
2021年1月1日 9:23:32 AM
金曜日, 3 1月 2021 11:49:45 AM
Monday 3 January 2021 14:01:40
Monday, 3 January 2021 11:05:11 AM
Monday, January 3, 2021 10:04:44 AM
Thu Jan 7 22:33:44 EST 2021

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...