https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140357#M184829 <P>Yes, your are right, its not taking Cookie TimeStamp. We are analyzed the event and plannign to add date time before ##Cookie....</P> <P>Thank you so much for the solution provided.</P> Thu, 24 Apr 2014 19:41:27 GMT muguniya 2014-04-24T19:41:27Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140346#M184818 <P>Hi Team,</P> <P>We have configured props.conf file in indexer to break events before date in specific format (yyyy-mm-dd hh:mm:ss,ms), but its not working.</P> <P>props.conf settings:<BR /> [sourcetype]<BR /> BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d<BR /> SHOULD_LINEMERGE = true</P> <H2>Sample Events in Log4j File:</H2> <H2>Cookie Value##Wed Apr 23 21:02:31 EDT 2014</H2> <P>2014-04-23 10:11:44,000 DEBUG 143.171.102.228 <A href="Remittance.java:91" target="_blank">WebContainer : 15</A>- Getting value of source system for first time user.</P> <H2>Cookie Value##Wed Apr 23 21:01:00 EDT 2014</H2> <P>Since ##Cookie Value## contains feature date time stamp we dont want to break events based on Cookie Value. Please let us know how to break events only the event starts with yyyy-mm-dd hh:mm:ss,ms.</P> <P>Thanks</P> Mon, 28 Sep 2020 16:26:50 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140346#M184818 muguniya 2020-09-28T16:26:50Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140347#M184819 <P>Try this<BR /> BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d</P> Mon, 28 Sep 2020 16:26:53 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140347#M184819 somesoni2 2020-09-28T16:26:53Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140348#M184820 <P>Hi,</P> <P>No luck, still event is getting break when we receive event ##Cookie Value##Wed Apr 23 20:41:00 EDT.</P> <P>props.conf settings with above suggestion:<BR /> [sourcetype]<BR /> BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d<BR /> NO_BINARY_CHECK = 1<BR /> SHOULD_LINEMERGE = true<BR /> maxDist = 75<BR /> pulldown_type = 1</P> <P>Is there any way we can look for date in specific format and break the event when matched?</P> <P>Thanks</P> Mon, 28 Sep 2020 16:26:58 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140348#M184820 muguniya 2020-09-28T16:26:58Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140349#M184821 <P>Try this in you props.conf (under your sourcetype)</P> <PRE><CODE>[YourSourcetype] BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = true TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3Q </CODE></PRE> <P>----------------------Update------</P> <P>This seems to work with my sample data (including events with just below, takes time from event itself)<BR /> Cookie Value##Wed Apr 23 23:01:00 EDT 2014.</P> <PRE><CODE>[YourSourcetype] BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d MAX_TIMESTAMP_LOOKAHEAD = 150 NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = true TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3Q pulldown_type = 1 </CODE></PRE> Wed, 23 Apr 2014 17:39:19 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140349#M184821 somesoni2 2014-04-23T17:39:19Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140350#M184822 <P>We have used BREAK_ONLY_BEFORE as shown below.</P> <P>BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d</P> Mon, 28 Sep 2020 16:27:01 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140350#M184822 muguniya 2020-09-28T16:27:01Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140351#M184823 <P><CODE>BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d</CODE> </P> <P>back slash is being discarded so updated the string again</P> Wed, 23 Apr 2014 17:39:20 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140351#M184823 muguniya 2014-04-23T17:39:20Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140352#M184824 <P>Do you event like this in splunk?</P> <P>2014-04-23 10:11:44,000 DEBUG 143.171.102.228 WebContainer : 15- Getting value of source system for first time user.<BR /> Cookie Value##Wed Apr 23 21:01:00 EDT 2014</P> <P>?</P> Wed, 23 Apr 2014 18:14:53 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140352#M184824 linu1988 2014-04-23T18:14:53Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140353#M184825 <P>We have tried above said settings, its not working when we received an event like ##Cookie Value##Wed Apr 23 21:01:00 EDT 2014. Splunk treats this as a sperate event.</P> <P>Please let us know for more information.</P> Wed, 23 Apr 2014 18:25:07 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140353#M184825 muguniya 2014-04-23T18:25:07Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140354#M184826 <P>Please try this. The problem you are having is there are two timestamps where splunk is able to get the time for the event and trying to break into events</P> <PRE><CODE>BREAK_ONLY_BEFORE_DATE=true NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true TIME_FORMAT=%Y-%m-%d %H:%M:%S,3%q </CODE></PRE> <P>Thanks</P> Wed, 23 Apr 2014 18:28:33 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140354#M184826 linu1988 2014-04-23T18:28:33Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140355#M184827 <P>Above suggestion works when we received events as follows</P> <P>2014-04-23 10:11:44,000 DEBUG 143.171.102.228 WebContainer : 15- Getting value of source system for first time user.<BR /> Cookie Value##Wed Apr 23 21:01:00 EDT 2014</P> <P>it fails when we receive only below event, we dont want this event populated with future time stamp in splunk<BR /> Cookie Value##Wed Apr 23 23:01:00 EDT 2014.</P> <P>Thanks</P> Wed, 23 Apr 2014 20:38:41 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140355#M184827 muguniya 2014-04-23T20:38:41Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140356#M184828 <P>is it taking the cookie timestamp? It shouldn't because it's told not to read that time format!!!</P> Thu, 24 Apr 2014 18:53:56 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140356#M184828 linu1988 2014-04-24T18:53:56Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140357#M184829 <P>Yes, your are right, its not taking Cookie TimeStamp. We are analyzed the event and plannign to add date time before ##Cookie....</P> <P>Thank you so much for the solution provided.</P> Thu, 24 Apr 2014 19:41:27 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140357#M184829 muguniya 2014-04-24T19:41:27Z https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140358#M184830 <P>Yes, your are right, its not taking Cookie TimeStamp. We have analyzed the event and planning to add date time before ##Cookie....Thank you so much for the solution provided.</P> Thu, 24 Apr 2014 19:42:14 GMT https://community.splunk.com/t5/Splunk-Search/BREAK-ONLY-BEFORE-failing-for-date-extraction/m-p/140358#M184830 muguniya 2014-04-24T19:42:14Z