Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i stop a file from being segmented?

MikeBertelsen
Communicator
‎08-12-2015 02:28 PM

This is the beginning of the file, line numbers for clarity:
1. Log File for: BatchJobOutput_20150801-0139_13516_MonthlyBatchJob_SAMM191.log
2. Started: Sat Aug 1 01:39:22 CDT 2015
3. Using path to access.properties: /opt/WebSphere/AppServer/lib/app
4. --------------------------
5. /usr/java64/jdk1.6.0_43/bin:/bin:/usr/bin:/opt/gnome/bin:/usr/X11/bin:/home/cd7543/scripts

This is the end of the file:
159. Ended: Sat Aug 1 01:40:55 CDT 2015
160.

There are many date references between these two sections and Splunk takes this one file and splits it up which is then displayed to the end user segmented, in reverse order.

How do I get Splunk to index this as one contiguous file?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-13-2015 08:58 AM

Try something like this for your props.conf 

[YourSourceType]
BREAK_ONLY_BEFORE=^Log\s*File\s*for:
MAX_TIMESTAMP_LOOKAHEAD=150
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_PREFIX=Started:\s*

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-13-2015 08:58 AM

Try something like this for your props.conf 

[YourSourceType]
BREAK_ONLY_BEFORE=^Log\s*File\s*for:
MAX_TIMESTAMP_LOOKAHEAD=150
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_PREFIX=Started:\s*
Reply
Solved! Jump to solution

MikeBertelsen
Communicator
‎08-13-2015 10:29 AM

Of the solutions offered, this one works the best.
But I am exceeding the 10000 byte limit and the file is being truncated.
Suggestions?

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-13-2015 10:50 AM

10000 bytes limits in the preview screen? If you see data truncated in Preview, don't worry actual data will not get truncated.
If you see the actual data getting truncated, add following to props.conf stanza.

TRUNCATE = 0
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-18-2015 12:11 PM

Do not set settings such as TRUNCATE to zero, ever.

Pick a value that seems outlandishly large, sure - but not zero. If something breaks at your source, Splunk will attempt to build infinitely large events...

Reply
Solved! Jump to solution

MikeBertelsen
Communicator
‎08-13-2015 10:52 AM

yes in the preview screen

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-13-2015 08:37 AM

You want all 160 lines to appear into one big single event with timestamp being taken from line 2?

Reply
Solved! Jump to solution

MikeBertelsen
Communicator
‎08-13-2015 08:42 AM

Yes that is correct.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-12-2015 02:51 PM

Add this to your props.conf:

TIME_PREFIX = ^Started:\s+

This won't work if the other timestamps start with the same RegEx.

0 Karma
Reply
Solved! Jump to solution

MikeBertelsen
Communicator
‎08-13-2015 08:16 AM

That helps a lot. the file is now broken up into two segments. the first line and the second which contains the timestamp.
I can make do with this but if needed how do I get the previous line included?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-13-2015 09:12 AM

Add these, too:

 BREAK_ONLY_BEFORE_DATE = false
 BREAK_ONLY_BEFORE = ^Log File for:\s+
 SHOULD_LINEMERGE = true
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...