Getting Data In
Highlighted

How do I configure props.conf to break events based on the time prefix '@' character and a timestamp format of '%H:%M:%S.%3N'?

New Member

I want configuration so that events are divided on the basis of time prefix @ and timestamp configuration %H:%M:%S.%3N. Each event starts with this config and not in middle of an event.

0 Karma
Highlighted

Re: How do I configure props.conf to break events based on the time prefix '@' character and a timestamp format of '%H:%M:%S.%3N'?

Contributor

you can define your own linebreaks. Please refer the link below:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Indexmulti-lineevents

0 Karma
Highlighted

Re: How do I configure props.conf to break events based on the time prefix '@' character and a timestamp format of '%H:%M:%S.%3N'?

Splunk Employee
Splunk Employee

If you could post 2 or 3 example events, we could help further.

0 Karma
Highlighted

Re: How do I configure props.conf to break events based on the time prefix '@' character and a timestamp format of '%H:%M:%S.%3N'?

New Member

expected =====>
@13:38:06.9061 [ISCC] [connection 7fe1807fbed0] connecting [0]1
@13:38:06.9066 [ISCC] SERVER: (EMEAIRLORKTSvrB) set cluster info1
@13:38:06.9068 [ISCC] SERVER: (EMEAIRLORKTSvrB) set cluster info2

But splunk is breaking following event as well:
-AI[t/o:90000,trace]->-42 @13:38:06.8883

0 Karma
Highlighted

Re: How do I configure props.conf to break events based on the time prefix '@' character and a timestamp format of '%H:%M:%S.%3N'?

Splunk Employee
Splunk Employee
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)@
0 Karma