topic Line Breaking Not Working for some IIS logs in Getting Data In

Line Breaking Not Working for some IIS logs

daniel333 — Wed, 12 Jun 2019 23:12:37 GMT

All,

My IIS logs keep getting merged together into one event and maybe i am just exhausted, but I can't seem to figure out where i am going wrong.

Example logs that were merged -

2019-06-12 04:06:56 10.1.1.1 GET SOMEURL=1234512244 443 - 10.2.2.2 - - 200 0 0 15
2019-06-12 04:06:56 10.11.11.1 GET SOMEURL 1 443 - 10.2.2.2 - - 200 0 0 31
2019-06-12 04:06:56 10.1.11.1 GET SOMEURL 443 - 10.2.2.2 - - 200 0 0 46

props.conf

[ms:iis:default]
MAX_TIMESTAMP_LOOKAHEAD = 20
SHOULD_LINEMERGE = false
TIME_PREFIX = ^ 
TIME_FORMAT = %Y-%m-%d %H:%M:%S 
SHOULD_LINEMERGE = False 
LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} 
TRUNCATE = 4000
TZ=UTC
MAX_DAYS_AGO = 1
MAX_DAYS_HENCE = 2
EVENT_BREAKER_ENABLE = true 
EVENT_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}

Hoping a second set of eyes will see where I went wrong?

Re: Line Breaking Not Working for some IIS logs

gcusello — Wed, 30 Sep 2020 00:54:15 GMT

Hi daniel333,
why did you used LINE_BREAKER and EVENT_BREAKER if you have SHOULD_LINEMERGE=false?
As you can see at https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Propsconf

When using LINE_BREAKER to delimit events, SHOULD_LINEMERGE should be set to false, to ensure no further combination of delimited events occurs.

SHOULD_LINEMERGE=false is repeated two times.

Anyway I don't see any other problem, maybe in the wrong logs there's some problem in Line Feed, try to see this.
In addition check if the timestamp format is the same in both the logs.

Bye.
Giuseppe

Re: Line Breaking Not Working for some IIS logs

amitm05 — Wed, 30 Sep 2020 00:54:31 GMT

Are you not using the Splunk Add-on for Microsoft IIS to parse your IIS events ? https://splunkbase.splunk.com/app/3185/
I would assume that you are.
I've been using this in the past and I never had to make any customizations to make things working.

From the Addon, I see the props.conf have the following stanza:

[ms:iis:default]
MAX_TIMESTAMP_LOOKAHEAD = 23
SHOULD_LINEMERGE = false
REPORT-auto_kv_for_iis_default = auto_kv_for_iis_default

But in your settings, I see you have additionally defined LINE_BREAKER, EVENT_BREAKER etc. rules.
I'd suggest to use the default settings that come out of the box with Add On and it should work smooth.

Please accept as answer if this post responds your query
Thanks