https://community.splunk.com/t5/Getting-Data-In/How-to-correctly-configure-timestamp-extraction/m-p/13067#M1129 <P>This appears to be a line breaking issue.</P> <P>Try adding the following to props.conf:</P> <P>BREAK_ONLY_BEFORE_DATE = true</P> Fri, 07 May 2010 07:55:12 GMT Simon_Shelston 2010-05-07T07:55:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-correctly-configure-timestamp-extraction/m-p/13066#M1128 <P><STRONG>Here is a sample log</STRONG>:</P> <PRE> 2010-05-06 16:41:18,082 INFO SplunkCLI :: Executing: "/Users/hs/bin/" status space Thu May 6 16:40:42 2010 1 unknown /var/folders/0g/0g2PnEjcEOeS9P-W4W4aIQkTMTmp9142.txt --------------------------------------- Collapse files into common directories? --------------------------------------- Enter [Y]es or [N]o &gt; ------------------------------ Index found files into splunk? ------------------------------ Enter choice: All/Some/[None] &gt; 0 2010-05-06 16:41:54,364 INFO splunk_data :: report_item_fspath='/Users/hstest_find_ascii' file_name='test_found.py' test_name='test_find_ascii' test_result='PASSED' error_message='' 2010-05-06 16:41:54,364 INFO conftest :: RUNTEST_TEARDOWN test_ascii runtime=163 </PRE> <P><STRONG>Currently splunk sees this as two events</STRONG>: </P> <PRE>2010-05-06 16:41:18,082 ... Thu May 6 16:40:42 2010 ...</PRE> <P><STRONG>How can I correctly extract the timestamp to turn the sample log above as three events?</STRONG></P> <PRE>2010-05-06 16:41:18,082 ... 2010-05-06 16:41:54,364 ... 2010-05-06 16:41:54,364 ...</PRE> <P><STRONG>My props.conf in etc/apps/my-app/local/props.conf looks like this</STRONG>:</P> <PRE>[sourcetype::testlog] MAX_TIMESTAMP_LOOKAHEAD = 25</PRE> Fri, 07 May 2010 07:47:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-correctly-configure-timestamp-extraction/m-p/13066#M1128 hans 2010-05-07T07:47:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-correctly-configure-timestamp-extraction/m-p/13067#M1129 <P>This appears to be a line breaking issue.</P> <P>Try adding the following to props.conf:</P> <P>BREAK_ONLY_BEFORE_DATE = true</P> Fri, 07 May 2010 07:55:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-correctly-configure-timestamp-extraction/m-p/13067#M1129 Simon_Shelston 2010-05-07T07:55:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-correctly-configure-timestamp-extraction/m-p/13068#M1130 <P>Simon gave the best answer.</P> <P>First of all, you have to tell Splunk that this is a multi line event, and then when the log should be broken into an event. In your case use this directive in props.conf:</P> <PRE><CODE>[source::testlog] BREAK_ONLY_BEFORE_DATE = true </CODE></PRE> <P>Honestly I'm not 100% sure and I would check if the second line is considered an event-breaker or not.</P> <P>Regards, Marco Scala - Consoft</P> Fri, 07 May 2010 19:51:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-correctly-configure-timestamp-extraction/m-p/13068#M1130 marcoscala 2010-05-07T19:51:47Z