Getting Data In

Accepted time is suspiciously far away from the previous event's time

bschaap
Path Finder

I'm ingesting logs that have both event timestamps as well as timestamps within the contents of the logs. My props.conf contains BREAK_ONLY_BEFORE=<[A-Z] but it's breaking on CONTENTDATE as well. It is not exceeding the 10K default max event character length. Does anyone have any suggestions?

&ltV ts="2018-07-16 22:14:28" &gt
...
...
CONTENTDATE=2017-11-30 10:48:11
...
...

Tags (1)
0 Karma

somesoni2
Revered Legend

Give this config a try

[yourSourceType]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\<\S+\s+ts\=)
TIME_PREFIX = ^\<\S+\s+ts\=\"
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
0 Karma

adonio
Ultra Champion

can you share masked events, and point out to where would you like it to break and which values are the desired timestamp?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...