Solved: How to configure Splunk to prevent grouping events...

jscraig2006 · ‎06-07-2016

I am having an issue with the time stamp on one of my apps. They will group together if the time stamp is identical in the event.

Example:

Jun 7 17:37:31
Jun 7 17:37:31

However, they are separate events.

But as soon as the time stamp changes, the event is separated. I am currently using in my props.conf file BREAK_ONLY_BEFORE = ^(?<Month>\w+\s+\d+\s+\d+:\d+:\d+)

Any suggestions? Thanks in advanced

woodcock · ‎06-07-2016

Try this instead:

TIME_PREFIX=^
TIME_FORMAT = %b %-d %H:%M:%s
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = false

View solution in original post

woodcock · ‎06-07-2016

Try this instead:

TIME_PREFIX=^
TIME_FORMAT = %b %-d %H:%M:%s
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = false

jscraig2006 · ‎06-08-2016

Thanks woodcock. I placed the above change in the props.conf but the events are still grouping:

6/8/16
10:42:32.000 AM
Jun  8 10:42:32 x.x.x.x CounterACT[2561]: NAC Policy Log: Source: x.x.x.x, Rule: , Details: HPS is going to execute the following command "fs_user.vbs  "
Jun  8 10:42:32 x.x.x.x CounterACT[2561]: NAC Policy Log: Source: x.x.x.x, Rule: , Details: HPS is going to execute the following command "fs_NBTDomain.exe  "

jscraig2006 · ‎06-08-2016

After reindexing and letting it cook, the events are now separated. Thanks again!

How to configure Splunk to prevent grouping events when the timestamp is identical?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application