Splunk Search

Field Extract and Format Time Stamp

jfeitosa
Path Finder

Hi All.

How to break this log block so that it reads each row as an event, and this log is not in timestamp format?

The date would be the start and end of the user session on the system.

The following is an example of the log:
cod|user |system |day|month|year|hour|minute|day|month|year|hour|minute
001|00129810|cis2121000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cis2200000 |01|03|18|10|46|01|03|18|10|46 001|00129810|cis2121000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cisli2100m000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cisli2100m000 |01|03|18|10|46|01|03|18|10|46 001|00129810|cis2121000 |01|03|18|10|46|01|03|18|10|46 001|00129810|cisli2100m000 |01|03|18|10|46|01|03|18|10|46 001|00821888|cis0121000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cis2200000 |01|03|18|10|46|01|03|18|10|46

Do I have to configure in props.conf and transform.conf by sourcetype?
REGEX = = (.{3}).(.{8}).(.{16}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2})
FORMAT = emp::$1 user::$2 session_id::$3 datei_mday::$4 datei_month::$5 datei_year::$6 datei_hour::$7 datei_minute::$8 datef_mday::$9 datef_month::$10 datef_year::$11 datef_hour::$12 datef_minute::$13

I tried to create this REGEX, but it did not work.

Can you help me please?

Best Regards.

Tags (1)
0 Karma

danielasilva
New Member

If you have multiple events using the same line, then you should use the props that should look something like this:
props.conf:
[sourcetype]
TIME_PREFIX = depends on the timestamp you want
TIME_FORMAT = not sure what time you want to use - initial or final
MAX_TIMESTAMP_LOOKAHEAD = ?
SHOULD_LINEMERGE = true
LINE_BREAKER = |\d{2}(\s)\d+
TRUNCATE = 50000
REPORT-extraction = your_extraction

transfoms.conf:
[your_extraction]
DELIMS = "|"
FIELDS = emp, user, session_id, datei_mday, datei_month, datei_year, datei_hour, datei_minute, datef_mday, datef_month, datef_year, datef_hour, datef_minute

Hope it works!

0 Karma

jfeitosa
Path Finder

Thanks for the answer. I'll test and return with the result.
Thanks in advance.

0 Karma

493669
Super Champion

set below in props.conf:

SHOULD_LINEMERGE = false

it will separate each line as an event

SHOULD_LINEMERGE = [true|false]
* When set to true, Splunk combines several lines of data into a single
  multi-line event, based on the following configuration attributes.
* Defaults to true.
0 Karma

jfeitosa
Path Finder

Thanks for the answer. I'll test and return with the result.
Thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...