- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk Group Events By timestamp
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have this log file mixed with a single and multiple line events, my problem is that splunk is breaking some multiline events, what I want to do is group the event if splunk detects a timestamp and until a new timestamp is detected it will be displayed as a one event?
what i want to happen is in this format:
[timestamp][message] //event1
[message] //event1
[message] //event1
[timestamp][message] //event2
[timestamp][message] //event3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is actually the default behaviour. Splunk will break when it finds a valid timestamp. What might be happening is that Splunk finds something else that it considers to be a valid timestamp in the places within event 1 where it's breaking though it shouldn't. You can tell Splunk explicitly what time format it should be looking for by specifying TIME_FORMAT for the sourcetype in question in props.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is actually the default behaviour. Splunk will break when it finds a valid timestamp. What might be happening is that Splunk finds something else that it considers to be a valid timestamp in the places within event 1 where it's breaking though it shouldn't. You can tell Splunk explicitly what time format it should be looking for by specifying TIME_FORMAT for the sourcetype in question in props.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Like I said, you can set TIME_FORMAT. More information on this is available here: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition
In your case the time format would be something like:
TIME_FORMAT = %Y-%m-%d %H:%M:%S
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ayn,
I have checked the logs and it seems your right, there are some lines that have a timestamp but it's a little different.
the timestamp format that i want only splunk to recognize is:"2013-07-18 07:47:05,720"
that other timestamp format that splunk is recognizing is:
"2013-07-18T07:46:10.4696008Z"
now i don't have access to change the logs because it is being only sent to us by a third party
is it possible for splunk to not read the other timestamp format above
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
