Hey there Splunk community. I'm new here and I would appreciate some help if it is possible.
I'm running a Python script that generates a 4 line event inside my Splunk app. The strange thing about it is that it always generates the same amount of characters (spread across 4 lines) and my events still break into 2 linecounts 20% of the time. I don't see any pattern whatsoever. Is there a way to solve this?
@mrrci - Check your sourcetype's props.conf for line breaker and timestamp extraction.
[<your sourcetype>]
LINE_BREAKER = ([\n\r]+)\d{8}[\n\r]+
SHOULD_LINEMERGE = false
TRUNCATE = 100
Please also set the following parameters for timestamp extraction, if you have not set already.
TIME_PREFIX = regex of the text that leads up to the timestamp
MAX_TIMESTAMP_LOOKAHEAD = how many characters for the timestamp
TIME_FORMAT = strptime format of the timestamp
I hope this helps!! Upvote/Karma would be appreciated!!!!
And how does your _time correspond to those events? Because at first glance I'd also suspect that Splunks tries automagically to "fit" some date format to your number and breaks "before timestamp".
@mrrci - Check your sourcetype's props.conf for line breaker and timestamp extraction.
[<your sourcetype>]
LINE_BREAKER = ([\n\r]+)\d{8}[\n\r]+
SHOULD_LINEMERGE = false
TRUNCATE = 100
Please also set the following parameters for timestamp extraction, if you have not set already.
TIME_PREFIX = regex of the text that leads up to the timestamp
MAX_TIMESTAMP_LOOKAHEAD = how many characters for the timestamp
TIME_FORMAT = strptime format of the timestamp
I hope this helps!! Upvote/Karma would be appreciated!!!!
Is there a timestamp on your lines?
Do you have props for this sourcetype?
Yes, I created a sourcetype.