Solved: How to configure Splunk to prevent grouping events...

jscraig2006 · ‎06-07-2016

I am having an issue with the time stamp on one of my apps. They will group together if the time stamp is identical in the event.

Example:

Jun 7 17:37:31
Jun 7 17:37:31

However, they are separate events.

But as soon as the time stamp changes, the event is separated. I am currently using in my props.conf file BREAK_ONLY_BEFORE = ^(?<Month>\w+\s+\d+\s+\d+:\d+:\d+)

Any suggestions? Thanks in advanced

woodcock · ‎06-07-2016

Try this instead:

TIME_PREFIX=^
TIME_FORMAT = %b %-d %H:%M:%s
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = false

View solution in original post

woodcock · ‎06-07-2016

Try this instead:

TIME_PREFIX=^
TIME_FORMAT = %b %-d %H:%M:%s
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = false

jscraig2006 · ‎06-08-2016

Thanks woodcock. I placed the above change in the props.conf but the events are still grouping:

6/8/16
10:42:32.000 AM
Jun  8 10:42:32 x.x.x.x CounterACT[2561]: NAC Policy Log: Source: x.x.x.x, Rule: , Details: HPS is going to execute the following command "fs_user.vbs  "
Jun  8 10:42:32 x.x.x.x CounterACT[2561]: NAC Policy Log: Source: x.x.x.x, Rule: , Details: HPS is going to execute the following command "fs_NBTDomain.exe  "

jscraig2006 · ‎06-08-2016

After reindexing and letting it cook, the events are now separated. Thanks again!

How to configure Splunk to prevent grouping events when the timestamp is identical?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation