For some reason Splunk is indexing one of my log files a bit oddly. In the following excerpt, the Splunk event is only displaying up to the Patch Description line. The previous 20 lines of the log are being indexed without a problem, and I can not figure out why it's stopping here. If I move the "Created..." line to the same line as "Patch Description.. ", I see Created, but then the next line is cutoff. I tried re-entering the newline in between the strings, but that didn't make a difference.. It has to be a newline issue since moving it onto the same line indexes, but I can not for the life of me figure out why splunk is treating some newlines different than others..
Anyone have any insight on this?
Unique Patch ID: 198774662
Patch description: "One-off"
Created on 9 May2016, 00:43:09 hrs UTC
It is probably because the line after the Patch Description has a date. If you haven't defined how the line breaking is done, Splunk likes to use the line with the date as the first line of an event. I would suggest putting the line breaker information in the
Hm.. That would make sense. Is there any way to escape the dates in the log file so that splunk doesn't read them as new entries? I can change how the log is written, but the dates are necessary.
I'm trying to avoid adding anything to the props.conf file as I don't want any global changes affecting how the other logs on these servers are being indexed.
There isn't a way to make it avoid looking at the date for the line breaker that I know of without specifying it in the
props.conf file. And since we are on that subject, the
sourcetype is what you tie the
props.conf definition to for the line break (it's not global), so it should not affect other data coming in. Use something like:
[your_source_type] BREAK_ONLY_BEFORE=^Unique Patch ID: DATE_FORMAT=<yourdateformathere>