Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Event not showing full log entry.. newline issue?

clamendola
New Member
‎12-17-2017 08:35 AM

For some reason Splunk is indexing one of my log files a bit oddly. In the following excerpt, the Splunk event is only displaying up to the Patch Description line. The previous 20 lines of the log are being indexed without a problem, and I can not figure out why it's stopping here. If I move the "Created..." line to the same line as "Patch Description.. ", I see Created, but then the next line is cutoff. I tried re-entering the newline in between the strings, but that didn't make a difference.. It has to be a newline issue since moving it onto the same line indexes, but I can not for the life of me figure out why splunk is treating some newlines different than others..

Anyone have any insight on this?

Unique Patch ID: 198774662
Patch description: "One-off"
Created on 9 May2016, 00:43:09 hrs UTC
Bugs fixed:

Tags (1)
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎12-17-2017 10:57 AM

It is probably because the line after the Patch Description has a date. If you haven't defined how the line breaking is done, Splunk likes to use the line with the date as the first line of an event. I would suggest putting the line breaker information in the props.conf file.

0 Karma
Reply

clamendola
New Member
‎12-17-2017 11:25 AM

Hm.. That would make sense. Is there any way to escape the dates in the log file so that splunk doesn't read them as new entries? I can change how the log is written, but the dates are necessary.

I'm trying to avoid adding anything to the props.conf file as I don't want any global changes affecting how the other logs on these servers are being indexed.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎12-17-2017 01:56 PM

There isn't a way to make it avoid looking at the date for the line breaker that I know of without specifying it in the props.conf file. And since we are on that subject, the sourcetype is what you tie the props.conf definition to for the line break (it's not global), so it should not affect other data coming in. Use something like:

[your_source_type]
BREAK_ONLY_BEFORE=^Unique Patch ID:
DATE_FORMAT=<yourdateformathere>
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...