Getting Data In

How to line break events based on timestamp to include multiple lines in one event?

corydm
New Member
09-17-2014 18:00:01.024     DATA MESSAGE RCVD FROM:W228707 DATA:POLL\x04
09-17-2014 18:00:01.024     DATA MESSAGE RCVD FROM:NOCTMDS-A20 DATA:POLL
09-17-2014 18:00:01.024     DATA MESSAGE RCVD FROM:W203911 DATA:POLL\x04
09-17-2014 18:00:01.055     DATA MESSAGE RCVD FROM:W231427 DATA:POLL\x04
09-17-2014 18:00:01.071     DATA MESSAGE RCVD FROM:W211499 DATA:POLL\x04
09-17-2014 18:00:01.087     DATA MESSAGE RCVD FROM:W231259 DATA:POLL\x04

This is the log file I am indexing. and I would like to make it so that when I index it, the timestamp is what determines when a new event occurs. In the data above, the first 3 lines is one event, and the last 3 lines are all indepedent events. I for the life of me, haven't been very successful with this... I've tried a couple of different methods using the Data previewer and setting my line breaks, but I cannot get it to do it correctly. I know this is a very simple thing, so I was wondering if someone could rattle off the solution, and be my easy button.

Thanks

0 Karma

sk314
Builder

Do you need them to be included as the same event at index time? You could always club them as a single event at search time using the transaction command like so:
| transaction _time

0 Karma

sk314
Builder

try using stats list(_raw) by _time. Would be faster. Hope it helps.

0 Karma

corydm
New Member

Doing it at searchtime is too slow for what I am trying to achieve. When we do transaction _time, the query takes 2/3 minutes to run. I really need to index them together as an event based on timestamp(though really, I need to group this data into one event:

9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 DATA MESSAGE RCVD HOSTNAME-1 DATA:HLCSPOSITIONINFO;;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 HOSTNAME-1:RCVD DATA = HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 DATAGRAM FORWARDED TO CLIENT: <123412> [HLCSPOSITIONINFO;S123412|STUFF THING|1234.111|112211|UPDATE|54321
9/17/14 6:00:06.274 PM

09-17-2014 18:00:06.274 MOBILE CLIENT ASSIGNMENT FOUND:S123412

This is coming accross as 4 separate events, and I need it to be one event. We can easily get this done at search time, but our need is to have it done at index time. It does -not- have to be by the timestamp, but it seemed like low hanging fruit at the time, but is still eluding us.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...