Re: Can you suggest a format for a source type eve...

pdantuuri0411 · ‎10-18-2018

I have a JSON log that is getting truncated because of the event break pattern in the source type. I cloned the source type to create a similar one with different event break pattern so that the log doesn't get truncated. My current event break is \d\d?:\d\d:\d\d.

The log I have is

"USER_STAR_BADGE" : "160",
"USER_TYPE_CD" : "INSPECTOR",
"USER_EMAIL" : "atp@sgifn.com",
"SECUR_ROLE_ID" : "1",
"USER_STATUS_CD" : "A",
"USER_STATUS_DATE" : "2012-12-27 11:23:20.0",
"CREATE_TIMESTAMP" : "2012-12-27 11:23:20.0",
"CREATE_USERID" : "32845",
"UPDATE_TIMESTAMP" : "2016-02-26 12:33:42.0",
"UPDATE_USERID" : "186"
The event is breaking before "USER_STATUS_DATE" : "2012-12-27 11:23:20.0", because of the event break pattern. Please suggest a format for event break so that the log doesn't get truncated.

Rob2520 · ‎10-18-2018

Not sure if this is what you are asking for. Every event breaks at "USER_STAR_BADGE".

pdantuuri0411 · ‎10-19-2018

Thank for the reply Rob. I am sorry to confuse you with the lack of detail in the post. I have a log file where 8 lines in the middle are getting truncated. I want to set my source type configuration so they donot get truncated. Here is the original log file

"AppData" : {
"user_info" : {
"USERID" : "",
"USER_CHICAGO_ID" : "",
"USER_PASSWORD" : "*****",
"USER_LAST_NAME" : "",
"USER_FIRST_NAME" : "",
"DEPT_ID" : "",
"USER_STAR_BADGE" : "",
"USER_TYPE_CD" : "",
"USER_EMAIL" : "",
"SECUR_ROLE_ID" : "",
"USER_STATUS_CD" : "",
"USER_STATUS_DATE" : "",
"CREATE_TIMESTAMP" : "",
"CREATE_USERID" : "",
"UPDATE_TIMESTAMP" : "2018-06-27 09:39:13.0",
"UPDATE_USERID" : ""
},
"image_info" : {
"image_key" : "359764084248580-img15_jpg-1539965048401",
"image_len" : 903988,
"create_time" : 1539965048401,
"location" : {

Here is what splunk is extracting

},
"AppData" : {
"user_info" : {
"USERID" : "607",
"USER_CHICAGO_ID" : "",
"USER_PASSWORD" : "",
"USER_LAST_NAME" : "",
"USER_FIRST_NAME" : "",
"DEPT_ID" : "13",
"USER_STAR_BADGE" : "",
"USER_TYPE_CD" : "",
"USER_EMAIL" : "",
"SECUR_ROLE_ID" : "",
"USER_STATUS_CD" : "",
"create_time" : ,
"location" : {

If you see the lines between "USER_STATUS_CD" : "", and "create_time" : , are missing. I don't want those lines are missing. I want Splunk to extract those lines too.

Rob2520 · ‎10-22-2018

I don't think you shared the complete log event. The one you shared is not fully formed JSON. I would check with removing the event breaker and see if i get the whole event.

sudosplunk · ‎10-18-2018

I see there are 2-3 timestamps in the event. What are the event boundaries that you'd like to break on?

pdantuuri0411 · ‎10-18-2018

I do not want to break it at all. Is that possible? I want the whole event to be logged.

Vijeta · ‎10-18-2018

probably its breaking at date timestamp settings. What is the configuration for date timestamp for this event, also you can change DATE TIMESTAMP to current if it does not impact you.

pdantuuri0411 · ‎10-18-2018

It is breaking at "USER_STATUS_DATE" : "2012-12-27 11:23:20.0". I get logs before that line. I was suggested to change the event break value in the source type option. I am not sure what to change it to.

Can you suggest a format for a source type event break that doesn't truncate the following JSON logs?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation