Developing for Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unwanted line breaking when running a Python script

mrrci
Explorer
‎04-25-2022 12:57 PM

Hey there Splunk community. I'm new here and I would appreciate some help if it is possible.

I'm running a Python script that generates a 4 line event inside my Splunk app. The strange thing about it is that it always generates the same amount of characters (spread across 4 lines) and my events still break into 2 linecounts 20% of the time. I don't see any pattern whatsoever. Is there a way to solve this?

Screenshot_2022-04-25_20_51_39.png

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
Champion
‎04-25-2022 11:22 PM

@mrrci - Check your sourcetype's props.conf for line breaker and timestamp extraction.

[<your sourcetype>]
LINE_BREAKER = ([\n\r]+)\d{8}[\n\r]+
SHOULD_LINEMERGE = false
TRUNCATE = 100

 

Please also set the following parameters for timestamp extraction, if you have not set already.

TIME_PREFIX = regex of the text that leads up to the timestamp
MAX_TIMESTAMP_LOOKAHEAD = how many characters for the timestamp
TIME_FORMAT = strptime format of the timestamp

 

I hope this helps!! Upvote/Karma would be appreciated!!!!

View solution in original post

Reply
Solved! Jump to solution

PickleRick
Ultra Champion
‎04-25-2022 11:41 PM

And how does your _time correspond to those events? Because at first glance I'd also suspect that Splunks tries automagically to "fit" some date format to your number and breaks "before timestamp".

Reply
Solved! Jump to solution
Solution

VatsalJagani
Champion
‎04-25-2022 11:22 PM

@mrrci - Check your sourcetype's props.conf for line breaker and timestamp extraction.

[<your sourcetype>]
LINE_BREAKER = ([\n\r]+)\d{8}[\n\r]+
SHOULD_LINEMERGE = false
TRUNCATE = 100

 

Please also set the following parameters for timestamp extraction, if you have not set already.

TIME_PREFIX = regex of the text that leads up to the timestamp
MAX_TIMESTAMP_LOOKAHEAD = how many characters for the timestamp
TIME_FORMAT = strptime format of the timestamp

 

I hope this helps!! Upvote/Karma would be appreciated!!!!

Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎04-25-2022 02:11 PM

Is there a timestamp on your lines?

Do you have props for this sourcetype?

Reply
Solved! Jump to solution

mrrci
Explorer
‎04-25-2022 03:07 PM

Yes, I created a sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!