Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Help with Line Break for log
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04/19/18 12:32:17.398524 - IQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(Hos
tLoanExists).DATETIME(4/19/2018 12:32:17 PM)~A0~BLMS~DCARD~F??????????????~HL
OAN~JID=ALL
04/19/18 12:32:17.398907 - RSIQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(H
ostLoanExists).DATETIME(4/19/2018 12:32:17 PM)~K1:SymConnect is off host
04/19/18 12:33:26.915422 - IQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(Ho
stLoanExists).DATETIME(4/19/2018 12:33:26 PM)~A0~BLMS~DCARD~F??????????????~H
LOAN~JID=ALL
04/19/18 12:33:26.930871 - RSIQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(
HostLoanExists).DATETIME(4/19/2018 12:33:26 PM)~K0~JID=01~JID=02~JID=03~JID=0
4~JID=05~JID=06~JID=07~JID=08~JID=09~JID=10~JID=80~JID=81~JID=82
04/19/18 12:33:39.309465 - IQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(Hos
tLoanExists).DATETIME(4/19/2018 12:33:39 PM)~A0~BLMS~DCARD~F??????????????~HL
OAN~JID=ALL
04/19/18 12:33:39.310146 - RSIQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(H
ostLoanExists).DATETIME(4/19/2018 12:33:39 PM)~K0~JID=01~JID=02~JID=80~JID=81
04/19/18 12:34:05.371520 - IQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(Hos
tLoanExists).DATETIME(4/19/2018 12:34:05 PM)~A0~BLMS~DCARD~F??????????????~HL
OAN~JID=ALL
04/19/18 12:34:05.372184 - RSIQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(H
ostLoanExists).DATETIME(4/19/2018 12:34:05 PM)~K0~JID=80
04/19/18 12:34:57.811784 - IQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(Host
LoanExists).DATETIME(4/19/2018 12:34:57 PM)~A0~BLMS~DCARD~F??????????????~HLO
AN~JID=ALL
A new entry always begin with 00/00/00
What would the line_break be for my props?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (props.conf on your indexer/heavy forwarder)
[yoursourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d+\/\d+\/\d+\s\d+\:)
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%y %H:%M:%S.%6N
MAX_TIMESTAMP_LOOKAHEAD = 26
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
works like a charm! Thank you!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (props.conf on your indexer/heavy forwarder)
[yoursourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d+\/\d+\/\d+\s\d+\:)
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%y %H:%M:%S.%6N
MAX_TIMESTAMP_LOOKAHEAD = 26
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
