https://community.splunk.com/t5/Getting-Data-In/Need-help-with-event-linebreaking-and-timestamp-recognition/m-p/290526#M55411 <P>You can use a TIME_FORMAT of:</P> <PRE><CODE>TIME_FORMAT = %a %b %d %H:%M:%S %Y </CODE></PRE> <P>Since the data is a long way into your event you will either have a complicated TIME_PREFIX or a large MAX_TIMESTAMP_LOOKAHEAD.<BR /> Is the aim of the line breaker to never break the data ?</P> <PRE><CODE>LINE_BREAKER = (nolinebreaksplease) </CODE></PRE> <P>Or does the start of the line with I mark a new line? Which seems strange but ...</P> <PRE><CODE>LINE_BREAKER = ([\r\n]+)I </CODE></PRE> <P>I've made a few assumptions here as I'm unsure of exactly what your intentions are.</P> Tue, 29 Sep 2020 16:12:29 GMT gjanders 2020-09-29T16:12:29Z https://community.splunk.com/t5/Getting-Data-In/Need-help-with-event-linebreaking-and-timestamp-recognition/m-p/290525#M55410 <P>Hi Folks,</P> <P>Please anyone help me to configure event linebreaking and timestamp recognition for below format logs.</P> <P>sample logs:</P> <HR /> <H2>trc file: "dev_w0", trc level: 1, release: "742"</H2> <P>*<BR /> * ACTIVE TRACE LEVEL 1<BR /> * ACTIVE TRACE COMPONENTS all, MJ<BR /> *<BR /> M sysno 00<BR /> M sid P05<BR /> M systemid 390 (AMD/Intel x86_64 with Linux)<BR /> M relno 7420<BR /> M patchlevel 0<BR /> M patchno 439<BR /> M intno 20020600<BR /> M make multithreaded, Unicode, 64 bit, optimized<BR /> M profile /usr/sap/P05/SYS/profile/P05_D00_stp05a02<BR /> M pid 3019<BR /> M <BR /> M<BR /><BR /> M Sun Sep 17 10:40:23 2017<BR /> M kernel runs with dp version 3000(ext=117000) (@(#) DPLIB-INT-VERSION-0+3000-UC)<BR /> M ***LOG Q01=&gt; ThInit, WPStart (Workp. 0 1 3019) [thxxhead.c 1052]<BR /> M<BR /><BR /> M Sun Sep 17 10:40:28 2017<BR /> M ThInit: running on host stp05a02<BR /> I MtxInit: 0 0 0<BR /> M calling db_connect ...<BR /> B Loading DB library '/usr/sap/P05/D00/exe/dboraslib.so' ...<BR /> I </P> <P>props.conf:</P> <P>SHOULD_LINEMERGE=false<BR /> LINE_BREAKER = <BR /> TIME_PREFIX=<BR /> MAX_TIMESTAMP_LOOKAHEAD=<BR /> TIME_FORMAT=</P> Tue, 29 Sep 2020 16:07:30 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-with-event-linebreaking-and-timestamp-recognition/m-p/290525#M55410 lksridhar 2020-09-29T16:07:30Z https://community.splunk.com/t5/Getting-Data-In/Need-help-with-event-linebreaking-and-timestamp-recognition/m-p/290526#M55411 <P>You can use a TIME_FORMAT of:</P> <PRE><CODE>TIME_FORMAT = %a %b %d %H:%M:%S %Y </CODE></PRE> <P>Since the data is a long way into your event you will either have a complicated TIME_PREFIX or a large MAX_TIMESTAMP_LOOKAHEAD.<BR /> Is the aim of the line breaker to never break the data ?</P> <PRE><CODE>LINE_BREAKER = (nolinebreaksplease) </CODE></PRE> <P>Or does the start of the line with I mark a new line? Which seems strange but ...</P> <PRE><CODE>LINE_BREAKER = ([\r\n]+)I </CODE></PRE> <P>I've made a few assumptions here as I'm unsure of exactly what your intentions are.</P> Tue, 29 Sep 2020 16:12:29 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-with-event-linebreaking-and-timestamp-recognition/m-p/290526#M55411 gjanders 2020-09-29T16:12:29Z https://community.splunk.com/t5/Getting-Data-In/Need-help-with-event-linebreaking-and-timestamp-recognition/m-p/290527#M55412 <P>Thanks for the information, my intentions is, i have an log file which don't have time stamp for first 19 lines and "getting the failed to parse timestamp and default to modftime" error on first row.</P> <P>The below configuration am using for.</P> <P>SHOULD_LINEMERGE=false<BR /> LINE_BREAKER=([\r\n]+)(?:\w{1}\s\w{3}\s\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s\d{4})<BR /> TIME_FORMAT = %a %b %d %H:%M:%S %Y</P> Tue, 29 Sep 2020 16:07:42 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-with-event-linebreaking-and-timestamp-recognition/m-p/290527#M55412 lksridhar 2020-09-29T16:07:42Z https://community.splunk.com/t5/Getting-Data-In/Need-help-with-event-linebreaking-and-timestamp-recognition/m-p/290528#M55413 <P>TIME_PREFIX can work over multiple lines as per another answer <A href="https://answers.splunk.com/answers/290137/how-to-extract-and-assign-a-timestamp-from-a-multi.html">here</A>, I don't have a very nice solution but this might work:</P> <PRE><CODE>TIME_PREFIX = ([\r\n]+)(?=M (Sun|Mon|Tue|Wed|Thu|Fri|Sat) [A-Z]) </CODE></PRE> <P>Or perhaps something like this, although I have not tested it (assuming it's always on the next line):</P> <PRE><CODE>TIME_PREFIX = ([^\n\r]+[\r\n]*){19} </CODE></PRE> Mon, 09 Oct 2017 12:29:43 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-with-event-linebreaking-and-timestamp-recognition/m-p/290528#M55413 gjanders 2017-10-09T12:29:43Z https://community.splunk.com/t5/Getting-Data-In/Need-help-with-event-linebreaking-and-timestamp-recognition/m-p/290529#M55414 <P>I have tried the both and it is not working. still get the same error.<BR /> r</P> Mon, 09 Oct 2017 14:25:06 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-with-event-linebreaking-and-timestamp-recognition/m-p/290529#M55414 lksridhar 2017-10-09T14:25:06Z