You Want Me to Splunk That?
Guess what? Your veteran Splunk administrator took a new job and you were designated as his replacement! Since you are brand new to Splunk and there is no budget for training, you decide to download Splunk to your laptop and explore this new search solution. You load some logs in the blink of an eye and are searching and building dashboards in minutes. You download apps and think to yourself, “No problem… I got this! I can read the documentation and take those Splunk Administration classes later.” Beaming with confidence you have your IT department install a brand new Splunk production server with one CPU and four gigabytes of RAM in VMware and skip right past the Splunk Distributed Deployment …
It’s That Time Again!
The other day I was asked how Splunk can be configured to index a file where the events have different timestamps. If you index this type of log file, your events end up being merged together because the timestamps are in multiple formats and may end up looking something like this:
Here is an example snippet of a catalina.out log file with multiple timestamps. Feel free to import this into your own Splunk instance for learning purposes.
---- Mar 15, 2014 8:18:33 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 576 ms 2014-03-17 23:58:21,246 [pool-2-thread-3068] ERROR org.apache.thrift.server.TThreadPoolServer - Thrift error occurred during processing of message. org.apache.thrift.protocol.TProtocolException: Missing version in readMessageBegin, old client? at org.apache.thrift.protocol.TBinaryProtocol.readMessageBegin(TBinaryProtocol.java:200) ----
You certainly can’t ask the developers …