Solved: Recognizing timestamps split across multiple lines

MatMeredith · ‎04-30-2013

My event have separate date and time fields on separate lines. E.g.

Date: 29 April 2013

Time: 12:02:03.6

Is it possible to configure Splunk to automatically extract timestamps for these events, piecing together the date and time as necessary?

Many thanks!

_d_ · ‎04-30-2013

Not automatically. I would use datetime.xml here and define custom extractions.

View solution in original post

_d_ · ‎04-30-2013

Not automatically. I would use datetime.xml here and define custom extractions.

MatMeredith · ‎05-01-2013

That's what I feared... Thanks!

kristian_kolb · ‎04-30-2013

Splunk is fairly good at interpreting timestamps by itself. You could try to index a log file and see how well it performs. Two things, though;

1) ensure that you have correct line_breaking, since splunk will normally break events when on the line where it encounters a timestamp. So if you have some lines before the timestamp that are part of the event, you may need to get explicit with some props.conf settings (either a SHOULD_LINEMERGE=true / MUST_BREAK.., BREAK_ONLY.. combo, or SHOULD_LINEMERGE=false / LINE_BREAKER combo. See the docs for props.conf for this.

2) You'll probably need to adjust the MAX_TIMESTAMP_LOOKAHEAD to a higher number than the default 150.

See this (and the following) page(s);

http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

Hope this helps,

Kristian

MatMeredith · ‎05-01-2013

Sadly this doesn't seem to work. Splunk cannot automatically figure out the separate date and time fields... Thanks though!

Recognizing timestamps split across multiple lines

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor