topic Re: Splunk automatically splits a event into two, because of two dates in Getting Data In

Splunk automatically splits a event into two, because of two dates

sre_sl — Tue, 29 Sep 2020 23:57:52 GMT

Hi All

I tried a solution suggested online for a similar issue, but it didn't fix the problem

The below extract from the log is a single event

 2019-03-26 12:03:28.753 +0000 INFO  [zzz] [yyy] [] [] [rrId:] []  Message
----------------------------
ID: 7
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=utf-8
Headers: {Connection=[close], Content-Type=[text/xml;charset=utf-8], Date=[Tue, 26 Mar 2019 12:03:28 GMT],
Show less

but it results like this

 2019-03-26 12:03:28.753 +0000 INFO  [zzz] [yyy] [] [] [rrId:] []  Message
 ----------------------------
 ID: 7
 Response-Code: 200
 Encoding: UTF-8
 Content-Type: text/xml;charset=utf-8

In 2 lines

Headers: {Connection=[close], Content-Type=[text/xml;charset=utf-8], Date=[Tue, 26 Mar 2019 12:03:28 GMT],
         Show less

We have a cluster environment so I updated the props here - opt/splunk/etc/master-apps/_cluster/local/props.conf with the below
[log4j]

MAX_TIMESTAMP_LOOKAHEAD = 19

I pushed the change to the peers and restarted all the indexers

Any thoughts to fix this issue please?

Thanks

Re: Splunk automatically splits a event into two, because of two dates

somesoni2 — Fri, 05 Apr 2019 15:10:43 GMT

Try this for your props.conf (sourcetype definition)

[log4j]
SHOULD_LINEMBER=false
LINE_BREAKER=([\r\n]+)(?=\d{4}-\d{2}-\d{2})
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N %z
MAX_TIMESTAMP_LOOKAHEAD=29

Re: Splunk automatically splits a event into two, because of two dates

sre_sl — Mon, 08 Apr 2019 10:13:42 GMT

Thanks.

It works partially but creates another issue.

The below shows as one event

2019-04-08 09:51:11.791 +0000 INFO   INFO  [[zzz] [yyy] [] [] [rrId:] []  Message In
----------------------------
ID: 3
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=utf-8
Headers: {Connection=[close], Content-Type=[text/xml;charset=utf-8], Date=[Mon, 08 Apr 2019 09:51:11 GMT]

But what happens is the next message is also in the same event, which should be a separate event

2019-04-08 09:51:11.727 +0000 INFO [[zzz] [yyy] [] [] [rrId:] [] Message Out

ID: 3
Address: xxxx
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[/], Connection=[close], SOAPAction=[""]}

2019-04-08 09:51:11.791 +0000 INFO INFO [[zzz] [yyy] [] [] [rrId:] [] Message In

ID: 3
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=utf-8
Headers: {Connection=[close], Content-Type=[text/xml;charset=utf-8], Date=[Mon, 08 Apr 2019 09:51:11 GMT]

Re: Splunk automatically splits a event into two, because of two dates

somesoni2 — Mon, 08 Apr 2019 15:59:48 GMT

Give this a try

[log4j]
 SHOULD_LINEMBER=false
 LINE_BREAKER=([\r\n]+)(?=\s*\d{4}-\d{2}-\d{2}\s*\d+)
 TIME_PREFIX=^
 TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N %z
 MAX_TIMESTAMP_LOOKAHEAD=29