[Question] How to split the Message based on datetime on the log time (not sumologic time)

Follow

Thomas Hartono

• June 30, 2021 01:44

Hi.

I'm new on using Sumologic. I'd like to ask question / tips on searching log.

We are using tomcat and we send catalina.out to sumologic, but when the search results on sumologic, we get the data,

Search result is below:

The question is

1. What is the cause of : Time is lagged (Sumologic time is 30 June at 00) and our log is 29 June 17.00 (Indonesia Time) ?

2. How to parse / separate the search result based on the time message on Catalina log, eg.

time :2021-06-29 17.50:06.960 | Messages : (FIFWS....

time :2021-06-29 17.50:07.486 | Messages : (FIFWS... , etc

because If I use search, I only get the first data. (On below search, I want to get how many checkversion request, But only get one line. and the parsed as time is invalid because it cointains of another message text as parsed result)

0

• 

  Harinder Bhandari

  • July 04, 2021 21:01

  Hi Thomas,

  First issue looks like a timezone setting issue. You should configure the timezone of your tomcat source correctly by editing the source. You can read more about the timezone setting here under the heading :

  https://help.sumologic.com/03Send-Data/Sources/04Reference-Information-for-Sources/Timestamps%2C-Time-Zones%2C-Time-Ranges%2C-and-Date-Formats  

  For second issue, you should set up boundary regex for the multiline processing for the tomcat source. You can use this boundary regex:

  ^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}.*

  More details about multiline processing is read here:

  https://help.sumologic.com/03Send-Data/Sources/04Reference-Information-for-Sources/Collecting-Multiline-Logs 

  Hope this helps.

  Thanks

   

  0

  Comment actions Permalink

Please sign in to leave a comment.