https://community.splunk.com/t5/Getting-Data-In/Breaking-correctly-some-SIP-logs/m-p/22444#M3461 <P>Thanks for the answer. Actually it is what i did at the first time, but i think, i have an issue due to the fact that i'm reading the log file from a NFS Share on an another server. I saw an post on that previously.</P> <P>Thanks, Pierre</P> Mon, 10 Jan 2011 09:53:03 GMT opsi 2011-01-10T09:53:03Z https://community.splunk.com/t5/Getting-Data-In/Breaking-correctly-some-SIP-logs/m-p/22442#M3459 <P>Hi All, here is what my logs look likes : </P> <PRE><CODE>17:31:52.872 CALL(IP) (00:62582:01) Fax Mode is Bypass, Modem Mode is Bypass 17:31:52.872 CALL(IP) (00:62582:01) RFC2833 DTMF Relay in use, Dynamic Payload Type is 101 17:31:52.872 CALL(IP) (00:62582:01) Initial MID is disabled 17:31:52.882 CALL(IP) (00:62582:01) SENT Outseize ACK (toPvid: x66) to L3P 17:31:52.882 CALL(SIP) (00:62582:01) RCVD Outseize Ack from VPPL 17:31:52.882 CALL(SIP) (00:62582:01) SENT Connect to L4 17:31:52.882 CALL(SIP) (00:62582:01) Start 868 Seconds Session End Timer 17:31:52.882 CALL(SIP) (00:62582:01) RCVD Cut Thru from VPPL 17:31:52.882 CALL(SIP) (00:62582:01) RCVD Connect from VPPL 17:31:52.882 CALL(L4) (00:62582:01) RCVD Connect from SIP 17:31:52.882 CALL(L4) (00:62582:01) SENT CPE of ANSWER to GCL 17:31:52.882 CALL(L4) (00:62582:01) SENT connect_1way: r_ts=0x24f l_ts=0x489 t o TSI 17:31:52.882 CALL(L4) (00:62582:00) SENT connect_1way: r_ts=0x489 l_ts=0x24f t o TSI 17:31:52.882 CALL(GCL) (00:62582:01) RCVD CPE of ANSWER from L4 17:31:52.882 CALL(GCL) (00:62582:01) SENT Call Answered to GCL 17:31:52.882 CALL(GCL) (00:62582:00) SENT CPE of ANSWER to L4 17:31:52.882 CALL(L4) (00:62582:00) RCVD CPE of ANSWER from GCL 17:31:52.882 CALL(L4) (00:62582:00) SENT Connect to ISDN 17:31:52.882 CALL(ISD) (00:62582:00) RCVD Connect from L4 17:31:52.882 CALL(ISD) (00:62582:00) SENT Connect to Network 17:31:52.962 CALL(SIP) (00:00000:00) SENT OPTIONS to 10.247.9.200:5060 Cseq:257 375 17:31:52.962 CALL(SIP) (00:00000:00) with R-URI: 10.247.9.200:5060 UDP 17:31:52.962 CALL(SIP) (00:00000:00) &lt;--- [10.247.9.200, 5060 &lt;- 10.247.9.150, 5060] OPTIONS sip:10.247.9.200:5060;ttl=0 SIP/2.0\r\n Via: SIP/2.0/UDP 10.247.9.150:5060;rport;branch=z9hG4bK- 79cd-1294306312-4999-65\r\n Call-ID: 73f1-1e61-98201021544-Phy_SGKCHIM1-0-10.247.9.1 50\r\n CSeq: 257375 OPTIONS\r\n Max-Forwards: 70\r\n To: &lt;sip:10.247.9.200:5060;ttl=0&gt;\r\n From: &lt;sip:10.247.9.150&gt;;tag=95ffcd055e0f78f7d5d397020e8 9288d9c72166f\r\n </CODE></PRE> <P>So it can be just one line per event or more.</P> <P>I have create a new source type as following: </P> <PRE><CODE>adminops@ocsinventory:/opt/splunk/bin$ sudo ./splunk cmd btool props list sip [sip] BREAK_ONLY_BEFORE = CALL BREAK_ONLY_BEFORE_DATE = false CHARSET = UTF-8 DATETIME_CONFIG = /etc/datetime.xml LEARN_SOURCETYPE = false MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 128 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = True TRANSFORMS = TRUNCATE = 10000 maxDist = 100 </CODE></PRE> <P>But unfortunnately, it doesn't break the events correctly... If you have any idea what i should change, it would help a lot <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Pierre</P> Fri, 07 Jan 2011 09:48:08 GMT https://community.splunk.com/t5/Getting-Data-In/Breaking-correctly-some-SIP-logs/m-p/22442#M3459 opsi 2011-01-07T09:48:08Z https://community.splunk.com/t5/Getting-Data-In/Breaking-correctly-some-SIP-logs/m-p/22443#M3460 <P>So you want to start a new event with each line that starts with a timestamp, right?</P> <P>Is <CODE>BREAK_ONLY_BEFORE_DATE</CODE> set to False for a reason? Seems like that would be the opposite of what you'd want.</P> <P>Part of the problem may be that there are no datestamps, only timestamps. You can use <CODE>TIME_FORMAT</CODE> to tell it explicitly what to look for.</P> <P>Try:</P> <PRE><CODE>[sip] SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE_DATE = true MAX_TIMESTAMP_LOOKAHEAD = 14 TIME_FORMAT = %H:%M:%S.%Q </CODE></PRE> <P>Turning <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE> down will help avoid incorrectly splitting on timestamps in the data column.</P> <P>Turning linemerge off and using <CODE>LINE_BREAKER</CODE> instead is another good option.</P> Fri, 07 Jan 2011 10:25:33 GMT https://community.splunk.com/t5/Getting-Data-In/Breaking-correctly-some-SIP-logs/m-p/22443#M3460 southeringtonp 2011-01-07T10:25:33Z https://community.splunk.com/t5/Getting-Data-In/Breaking-correctly-some-SIP-logs/m-p/22444#M3461 <P>Thanks for the answer. Actually it is what i did at the first time, but i think, i have an issue due to the fact that i'm reading the log file from a NFS Share on an another server. I saw an post on that previously.</P> <P>Thanks, Pierre</P> Mon, 10 Jan 2011 09:53:03 GMT https://community.splunk.com/t5/Getting-Data-In/Breaking-correctly-some-SIP-logs/m-p/22444#M3461 opsi 2011-01-10T09:53:03Z