https://community.splunk.com/t5/Getting-Data-In/Handling-events-with-the-same-timestamp/m-p/209598#M41272 <P>Thank You.</P> <P>I did not get a chance to try it out yet. I will update the thread once I get a chance to test it.</P> Thu, 29 Dec 2016 13:02:00 GMT Staging_2 2016-12-29T13:02:00Z https://community.splunk.com/t5/Getting-Data-In/Handling-events-with-the-same-timestamp/m-p/209596#M41270 <P>I am extracting logs from a file which contain entries with two timestamp log entries:<BR /> 1. eventTimestamp<BR /> 2. timestamp</P> <P>The later is included by my logging framework. I occasionally write events where the timestamp is the same. In these cases the events gets grouped together as shown below:</P> <P>The events below would all appear under the timestamp: 2016-12-28T17:07:55.946Z.<BR /> ```<BR /> {"eventCode":13400,"eventDetails":{"title":"xxxx","source":"xxx","code":"InvalidArgument","subscriptionType":"active","system":"xxx"},"userDetails":{"userAgent":"xxxx","userApp":"sc"},"eventTimestamp":"2016-12-28T17:07:55.946Z","uid":"xxx","accountDetails":{"account":"xx","email":"xxxxx,"environment":"xxx"},"level":"info","message":"","timestamp":"2016-12-28T17:07:39.593Z"}<BR /> {"eventCode":13400,"eventDetails":{"title":"xxxx","source":"xxx","code":"InvalidArgument","subscriptionType":"active","system":"xxx"},"userDetails":{"userAgent":"","userApp":"sc"},"eventTimestamp":"2016-12-28T17:07:56.766Z","uid":"xxx","accountDetails":{"account":"xxxx","email":"xxxx","environment":"xxx"},"level":"info","message":"","timestamp":"2016-12-28T17:07:39.593Z"}</P> <P>```</P> <P>I have tried creating a props.conf file with the following configuration:</P> <P><CODE><BR /> [api_reporting]<BR /> SHOULD_LINEMERGE=false<BR /> TIME_PREFIX=eventTimestamp<BR /> MAX_TIMESTAMP_LOOKAHEAD=10<BR /> </CODE></P> <P>However, I am continuing to experience the issue. I have followed [1] to determine if my props.conf file is read and it seems to be the case. The configuration given above were taken from [2]. </P> <P>[1] <A href="https://docs.splunk.com/Documentation/Splunk/6.5.1/Troubleshooting/Usebtooltotroubleshootconfigurations">https://docs.splunk.com/Documentation/Splunk/6.5.1/Troubleshooting/Usebtooltotroubleshootconfigurations</A><BR /> [2] <A href="https://answers.splunk.com/answers/80488/splunk-treating-multiple-lines-as-one-event-since-they-have-the-same-timestamp.html">https://answers.splunk.com/answers/80488/splunk-treating-multiple-lines-as-one-event-since-they-have-the-same-timestamp.html</A></P> Wed, 28 Dec 2016 17:47:17 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-events-with-the-same-timestamp/m-p/209596#M41270 Staging_2 2016-12-28T17:47:17Z https://community.splunk.com/t5/Getting-Data-In/Handling-events-with-the-same-timestamp/m-p/209597#M41271 <P>Try this for your props.conf (on Indexer or Heavy Forwarder)</P> <PRE><CODE>[api_reporting] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(?=\{\"eventCode\") TIME_PREFIX = eventTimestamp\":\" TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N MAX_TIMESTAMP_LOOKAHEAD = 23 </CODE></PRE> Wed, 28 Dec 2016 18:51:53 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-events-with-the-same-timestamp/m-p/209597#M41271 somesoni2 2016-12-28T18:51:53Z https://community.splunk.com/t5/Getting-Data-In/Handling-events-with-the-same-timestamp/m-p/209598#M41272 <P>Thank You.</P> <P>I did not get a chance to try it out yet. I will update the thread once I get a chance to test it.</P> Thu, 29 Dec 2016 13:02:00 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-events-with-the-same-timestamp/m-p/209598#M41272 Staging_2 2016-12-29T13:02:00Z