Splunk Search

How to extract and assign a timestamp from a multiline event?

srinathd
Contributor

How to extract and assign the timestamp from the below multiline event. Timestamp exists in the 4th line from last.

Test Log Management
Y12354.ABC
Y12354.ABCýY12354.AMýY12354.PM


LIVE
AMENDýCREATEýNEW
NavigationýNavigationýNavigation
14832 task T1455671 amended - refreshýQC14790 (Correction customer and AccountýMigration of role 256
1505081034ý1504081139ý1503171221
approvedýapprovedýapproved
1505081129ý1504081150ý1503171225















3
4
1506091724
2015_*Y12354.ABC
IN0010001
1
0 Karma
1 Solution

woodcock
Esteemed Legend

Use this in props.conf:

TiME_PREFIX = (?:[\r\n]+)(?=\d{10,}[\r\n])

View solution in original post

woodcock
Esteemed Legend

Use this in props.conf:

TiME_PREFIX = (?:[\r\n]+)(?=\d{10,}[\r\n])

srinathd
Contributor

But sometimes in the log on 10th line also we have value as "1505081034" instead of "1505081034ý1504081139ý1503171221" , but we should not consider this as timestamp. we have to assign the time which is on 30th line(1507101814) as timestamp. How to do that? Below is the sample log

Test Log Management
Y12354.ABC
Y12354.ABC


LIVE
AMEND
Navigation
14832 task T1455671 amended - refresh
1505081034
approved
1505081129















3
4
2015_*Y12354.ABC
1507101814
2015_*Y12354.ABC
IN0010001
1
0 Karma

woodcock
Esteemed Legend

You can tell it to always skip at least "x" lines; here is how to do it for x=15:

 TiME_PREFIX = ([^\r\n]*[\r\n]){15}.*(?:[\r\n]+)(?=\d{10,}[\r\n])
0 Karma

srinathd
Contributor

I have used this.. it is working perfectly

TIME_PREFIX = (?:[\r\n]+)(?=\d{10,}[\r\n]+[\w\_\\*\d\.]*[\r\n]+[A-Z]{2}\d{7,}[\r\n]+)
0 Karma

woodcock
Esteemed Legend

Is 1506091724 your timestamp? Why do I see it at the top, too?

srinathd
Contributor

yes. It is the timestamp. I have added it for testing purpose at the top but actually it exists at the bottom. i have modified the log.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...