Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to break a multi-line event with regex, provided that the date and time containing the milliseconds changes only at the beginning of the line.

leandromatperei
Path Finder
‎11-15-2019 04:54 AM

Hi,
I have the following log format,
How can I break this multiline event, with the condition if the date is changed only when the date containing time is at the beginning of the line.

Example: 2019-11-12T12: 51: 28.338

2019-11-12T09:51:28.291 Dbg 23058 [MsgIn] Ended defined Clients :
2019-11-12T09:51:28.338 Dbg 23055 [MsgIn]     None.
2019-11-12T09:51:28.338 Dbg 23056 [MsgIn] Scheduled Clients :
2019-11-12T09:51:28.338 Dbg 23055 [MsgIn]     None.
2019-11-12T09:51:36.154 Trc 29998 [PSDK.Timer] 
-AP[8802]->-65331 @09:51:36.0154
2019-11-12T09:51:36.154 Trc 29998 [O worker #4] 
-Ap[8802]-<-65331 @09:51:36.0154
2019-11-12T09:51:51.145 Trc 29998 [PSDK.Timer] 
-AP[4563]->-58089 @09:51:51.0145
2019-11-12T09:51:51.145 Trc 29998 [O worker #4] 
-Ap[4563]-<-58089 @09:51:51.0145
2019-11-12T09:51:53.657 Trc 29998 [PSDK.Timer] 
-AP[5040]->-59427 @09:51:53.0657
2019-11-12T09:51:53.657 Trc 29998 [O worker #3] 
-Ap[5040]-<-59427 @09:51:53.0657
Timezone UTC offset:        03:00:00
UTC Start Time:         2019-11-09T05:25:11.154
Running Time (DDD:HH:MM:SS):    003:07:26:17
UTC Time:           2019-11-12T12:51:28.338

2019-11-12T09:51:58.353 Dbg 23053 [MsgIn] Clients defined in ConfigServer :
-Ap[4564]-<-58089 @09:52:21.0160
2019-11-12T09:52:28.367 Dbg 23053 [MsgIn] Clients defined in ConfigServer :
2019-11-12T09:52:28.367 Dbg 23054 [MsgIn]     <pop-client PROD545454> enabled.
2019-11-12T09:52:28.367 Dbg 23054 [MsgIn]     <pop-client PROD545454> enabled.
2019-11-12T09:52:28.367 Dbg 23054 [MsgIn]     <pop-client PROD545454> enabled.
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2019 05:02 AM

Try these props.conf settings:

[mysourcetype]
LINE_BREAKER = ([\r\n]+)\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d\.\d{3}
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H%:M%:S.%3N
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

leandromatperei
Path Finder
‎11-18-2019 06:48 AM

Thanks.

How can I besides the comma also include the period?

Ex:
2019-11-18T10:44:31,949 Trc 21126 [SvcSrvW-39 ] <[33489584]> 'OMInteractions.GetInteractionContent' (request id 33489584) handling duration : 94 ms.
2019-11-18T10:44:31,949 Trc 21133 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Updating persistent object '000QPaEVQX5MWUQV' from class 'com.genesyslab.icc.api.contactserver.persistent.IndexEvent'.
2019-11-18T10:44:31,949 Dbg 09900 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Executing request: update IndexEvent set IndexEvent.IndexName=?, IndexEvent.ProcessedPri=?, IndexEvent.EventDate=?, IndexEvent.ProcessedBck=?, IndexEvent.Operation=? where (IndexEvent.Id = ?) in transaction : 422961818@txn-txn-18478985 with timeout=15
2019-11-18T10:44:31,949 Dbg 09900 [SvcSrvW-25 ] <[33489586, txn-18478990, txn-18478990]> Getting ResultSetMetaData

2019-11-12T09:51:58.353 OR 2019-11-18T10:44:31,949

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2019 04:43 AM

The TIME_FORMAT setting for times using comma would be %Y-%m-%dT%H%:M%:S,%3N. One cannot specify alternatives in TIME_FORMAT. To support variations in time strings. edit the DATETIME.XML file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

leandromatperei
Path Finder
‎11-18-2019 06:45 AM

thanks,

And for the pattern below, what should the time format be? "2019-11-18T10:44:31,949"

2019-11-18T10:44:31,949 Trc 21126 [SvcSrvW-39 ] <[33489584]> 'OMInteractions.GetInteractionContent' (request id 33489584) handling duration : 94 ms.
2019-11-18T10:44:31,949 Trc 21133 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Updating persistent object '000QPaEVQX5MWUQV' from class 'com.genesyslab.icc.api.contactserver.persistent.IndexEvent'.
2019-11-18T10:44:31,949 Dbg 09900 [SvcSrvW-38 ] <[122907, txn-18478985, txn-18478985, txn-18478985]> Executing reque

How can I besides the comma include the dot in timeformat?

2019-11-12T09:51:53.657 OR 2019-11-18T10:44:31,949

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...