Re: Handling events with DateTime or just Time in ...

sini · ‎09-23-2021

Hi,

I am asking if it's possible to ingest logfiles where one logline would contain a DateTime and the following lines only contain Time, until the next entry with a DateTime. If we ignore Date as a whole by using a custom time DateTime format only consisting of %H:%M:%S it's using the creation date of the file and the time pulled from the individual event. While that works without issues for files containing less than 24 hours it fails for files containing more than 24 hours of data:

### Job STARTED at 2021/09/21 00:30:00
[INFO ] 00:30:01 This is a test message
[WARN ] 01:15:01 This is a warning message
### Job STARTED at 2021/09/22 06:10:00
[INFO ] 06:10:01 This is a test message
[WARN ] 07:11:00 This is a warning message

Regards

codebuilder · ‎09-23-2021

You should be able to accomplish this in props.conf by defining your sourcetype with a combination of SHOULD_LINEMERGE=true and the supporting parameters to define how/where Splunk should break off from creating a multi-line event.

You'll just need to experiment in a test environment (or dummy index) with the settings and your actual events. I would start off with log files that contain only a few entries. Otherwise, you can potentially end up with a single event comprised of the entire file.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Propsconf#Line_breaking

----
An upvote would be appreciated and Accept Solution if it helps!

Handling events with DateTime or just Time in same sourcetpye

field extraction

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!