https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490720#M137012 <P>Hi,</P> <P>I am using Splunk to parse a particular sets of logs since many years but recently i have started facing some issue. Very few of the events are getting merged instead of parsing as a separate event.</P> <P>Consider below example</P> <P><STRONG>2020-05-04 16:45:47,</STRONG>122 [ INFO] [CMEPS_JMSMessengerInject-EnterpriseMessageListener-186] - s_proc_id=921844e5-8130-4f29-9418-5622d95dfeef s_comp_id=ARCHIVER s_seq_no=9 s_proc_dur=372 s_proc_outcome=success<BR /> <STRONG>2020-05-04 16:45:48,</STRONG>124 [ INFO] [CMEPS_JMSMessengerInject-EnterpriseMessageListener-186]</P> <P>These two events should be segregated and should not be merged under any condition. </P> <P>Could someone help me to provide correct props.conf for this sourcetype so that Splunk only starts event with this timestamp pattern ex(2020-05-04 16:45:47)</P> <P>Regards,<BR /> Devang</P> Wed, 30 Sep 2020 05:17:57 GMT ramprakash 2020-09-30T05:17:57Z https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490720#M137012 <P>Hi,</P> <P>I am using Splunk to parse a particular sets of logs since many years but recently i have started facing some issue. Very few of the events are getting merged instead of parsing as a separate event.</P> <P>Consider below example</P> <P><STRONG>2020-05-04 16:45:47,</STRONG>122 [ INFO] [CMEPS_JMSMessengerInject-EnterpriseMessageListener-186] - s_proc_id=921844e5-8130-4f29-9418-5622d95dfeef s_comp_id=ARCHIVER s_seq_no=9 s_proc_dur=372 s_proc_outcome=success<BR /> <STRONG>2020-05-04 16:45:48,</STRONG>124 [ INFO] [CMEPS_JMSMessengerInject-EnterpriseMessageListener-186]</P> <P>These two events should be segregated and should not be merged under any condition. </P> <P>Could someone help me to provide correct props.conf for this sourcetype so that Splunk only starts event with this timestamp pattern ex(2020-05-04 16:45:47)</P> <P>Regards,<BR /> Devang</P> Wed, 30 Sep 2020 05:17:57 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490720#M137012 ramprakash 2020-09-30T05:17:57Z https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490721#M137013 <P>What are the current props.conf settings for that sourcetype?</P> Mon, 04 May 2020 16:37:14 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490721#M137013 richgalloway 2020-05-04T16:37:14Z https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490722#M137014 <P>There is no settings as of now.</P> <P>From docs i understood that some changes in props.conf is required.</P> <P>Could you please suggest.</P> Mon, 04 May 2020 16:47:41 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490722#M137014 ramprakash 2020-05-04T16:47:41Z https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490723#M137015 <P>One should never onboard a sourcetype without specific props.conf settings. Letting Splunk about the data is asking for problems and actually slows Splunk down. Every sourcetype should specify these six attributes:</P> <PRE><CODE>TIME_PREFIX TIME_FORMAT MAX_TIMESTAMP_LOOKAHEAD SHOULD_LINEMERGE LINE_BREAKER TRUNCATE </CODE></PRE> <P>If the data is sent by a universal forwarder then you should also specify <CODE>EVENT_BREAKER</CODE> and <CODE>EVENT_BREAKER_ENABLE = true</CODE> in the forwarder's props.conf.</P> Mon, 04 May 2020 19:01:24 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490723#M137015 richgalloway 2020-05-04T19:01:24Z https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490724#M137016 <P>Thank you so much for explaining about onboarding new sourcetype..so in present scenario which configuration you recommend, i just want my events to start with timestamp only with no merging of other timestamp event. Do I need to use breakonlybefore ?</P> <P>Appreciate your response.</P> Mon, 04 May 2020 19:15:21 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490724#M137016 ramprakash 2020-05-04T19:15:21Z https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490725#M137017 <P>You should not need <CODE>BREAK_ONLY_BEFORE</CODE>. Try these settings.</P> <PRE><CODE>TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 19 SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) TRUNCATE = 10000 </CODE></PRE> Mon, 04 May 2020 20:17:49 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-of-events-with-fixed-pattern/m-p/490725#M137017 richgalloway 2020-05-04T20:17:49Z