https://community.splunk.com/t5/Getting-Data-In/Raw-import-not-getting-the-full-data-Is-this-a-CR-LF-issue-that/m-p/337508#M62330 <P>I will give that a try. I tried </P> <P>BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d\s*[[]\d*[]]</P> <P>and that seemed to work.</P> <P>Many thanks</P> Tue, 29 Sep 2020 13:45:06 GMT ipicbc 2020-09-29T13:45:06Z https://community.splunk.com/t5/Getting-Data-In/Raw-import-not-getting-the-full-data-Is-this-a-CR-LF-issue-that/m-p/337506#M62328 <P>I am not getting the full event on ingestion from a log file. I am assuming it's a CR/LF problem that would be fixed by a config file tweak.</P> <P>This is some data :</P> <PRE><CODE>2017-04-18 04:00:53,373 [6968] INFO BatchLog - Will execute jobName: QP_EODSnapshotBase with JobTask: DailyTradeSnapshotJobTask. 2017-04-18 04:02:55,224 [6968] INFO BatchLog - Job Name: QP_EODSnapshotBase JobTask: DailyTradeSnapshotJobTask Start Time: 18/04/2017 04:00 End Time: 18/04/2017 04:02 2017-04-18 04:02:55,240 [6968] INFO BatchLog - Exclusion list retrieved for jobName QP_EODSnapshotEnergy : </CODE></PRE> <P>Each line ends with a CR/LF. The first and last records in the snippet import OK, the middle one does not bring in the lines with Start Time and End Time. </P> <P>Here is the props.conf entry for this sourcetype:</P> <PRE><CODE>[qpbatch] DATETIME_CONFIG = NO_BINARY_CHECK = true category = Custom pulldown_type = 1 BREAK_ONLY_BEFORE_DATE = True </CODE></PRE> <P>Perhaps I am breaking the break_only_before_date logic because there is a date on those lines?!?!?!?</P> <P>Any thoughts as to why this happens?</P> <P>Thanks</P> Tue, 29 Sep 2020 13:44:48 GMT https://community.splunk.com/t5/Getting-Data-In/Raw-import-not-getting-the-full-data-Is-this-a-CR-LF-issue-that/m-p/337506#M62328 ipicbc 2020-09-29T13:44:48Z https://community.splunk.com/t5/Getting-Data-In/Raw-import-not-getting-the-full-data-Is-this-a-CR-LF-issue-that/m-p/337507#M62329 <P>Hi,</P> <P>Have a go with this for your props.conf</P> <PRE><CODE>[qpbatch] TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3Q MAX_TIMESTAMP_LOOKAHEAD = 23 SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE_TIME = True TRUNCATE = 10000 </CODE></PRE> <P>This way you're telling Splunk that the timestamp starts at the beginning of lines and the exact format to look for.</P> <P>I did a quick test and got this:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2801iB0F84D1FC72263AA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>See if that helps you get closer to a solution.</P> Tue, 18 Apr 2017 19:37:13 GMT https://community.splunk.com/t5/Getting-Data-In/Raw-import-not-getting-the-full-data-Is-this-a-CR-LF-issue-that/m-p/337507#M62329 gvmorley 2017-04-18T19:37:13Z https://community.splunk.com/t5/Getting-Data-In/Raw-import-not-getting-the-full-data-Is-this-a-CR-LF-issue-that/m-p/337508#M62330 <P>I will give that a try. I tried </P> <P>BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d\s*[[]\d*[]]</P> <P>and that seemed to work.</P> <P>Many thanks</P> Tue, 29 Sep 2020 13:45:06 GMT https://community.splunk.com/t5/Getting-Data-In/Raw-import-not-getting-the-full-data-Is-this-a-CR-LF-issue-that/m-p/337508#M62330 ipicbc 2020-09-29T13:45:06Z