Getting Data In

Accepted time is suspiciously far away from the previous event's time

bschaap
Path Finder

I'm ingesting logs that have both event timestamps as well as timestamps within the contents of the logs. My props.conf contains BREAK_ONLY_BEFORE=<[A-Z] but it's breaking on CONTENTDATE as well. It is not exceeding the 10K default max event character length. Does anyone have any suggestions?

&ltV ts="2018-07-16 22:14:28" &gt
...
...
CONTENTDATE=2017-11-30 10:48:11
...
...

Tags (1)
0 Karma

somesoni2
Revered Legend

Give this config a try

[yourSourceType]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\<\S+\s+ts\=)
TIME_PREFIX = ^\<\S+\s+ts\=\"
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
0 Karma

adonio
Ultra Champion

can you share masked events, and point out to where would you like it to break and which values are the desired timestamp?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...