如何区分日志的每一条记录

wangyong_2 · ‎06-10-2015

1、日志是以时间开头的，比如：00:11:12:471，也就是当天零点11分12秒471毫秒，可是，splunk识别的时间为15/06/11 2:00 00 000
该怎么办？

2、如下的一行，事实上不是一条新的记录，只是上一条记录没写完而另起一行
0|36491.61|36491.61|0|36491.61|199661.61|63170.00||
而splunk识别成了一条新的记录，该怎么办？
我已经在indexer端的props.conf中添加了如下项：
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = True
可是没有BREAK_ONLY_BEFORE_TIME参数吧？

echozero39 · ‎06-10-2015

For your sourcetype, I think first of all you could try :

SHOULD_LINEMERGE=false;

and you can define :

BREAK_ONLY_BEFORE=^\d\d:\d\d:\d\d

which présents time

OR you could try LINE_BREAKER=

Use preview when you add data to make sure the indexation is ok, otherwise you have to clean up the index and reindex.

MichaelPriest · ‎06-10-2015

1 , the log is at the beginning of time , for example: 00:11 : 12: 471 , which is the same day 0:11:12 471 milliseconds , however , splunk recognition time is 15/06/11 2:00 00000
How to do ?

2 , the following line , in fact, not a new record , but did not finish on a record and a separate line
0 | 36491.61 | 36491.61 | 0 | 36491.61 | 199661.61 | 63170.00 ||
The splunk recognition became a new record , how to do ?
I've added the following entry in the indexer side props.conf in :
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = True
But no BREAK_ONLY_BEFORE_TIME argument , right?

如何区分日志的每一条记录

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life