Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to configure props.conf to break the event before the timestamp?

mhlesourd
New Member
‎09-25-2014 02:20 AM

Hello,

I'm having some issue with the configuration on one of my source. Even after configuring the props.conf, events are not broken properly.

Format of my source :

09:39:37.889 INFO  [main] Instantiated BDPeriodicAgent - o.i.p.m.b.s.impl.BDPeriodicAgent:57
09:39:37.921 DEBUG [main] Started meeting lifecycle agent to run every 36000 s - o.i.p.w.m.bd.servlet.BDInitServlet:64

My props.conf is the following:

MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
TIME_FORMAT = %H:%M:%S.%3N

When I try to add the file from the Splunk interface and add this configuration to the "Advanced mode", events are shown properly. But when the same file is coming from the forwarder it looks like the props.conf is not taken in account and event are not split on the timestamp

Any advice?

Kind regards

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎09-25-2014 04:30 PM

There are a couple of possible things going on here. If the forwarder in question is what's known as a heavy forwarder (that is, a full instance of splunk with an outputs.conf) it may be parsing the events (and handling event breaking) before it ever gets to the indexer.

Assuming that's not the case, I've heard it said that Splunk wants to capture both a date and a time with TIME_PREFIX, and if it can't, then it assumes it got the wrong answer and doesn't consider what it found to be a valid "_time", which is typically how the event boundary is determined.

I'd go with @somesoni2's answer above, as the quick way to fix the problem.

0 Karma
Reply

somesoni2
Revered Legend
‎09-25-2014 05:17 AM

Try to configure BREAK_ONLY_BEFORE.

BREAK_ONLY_BEFORE = ^\d{2}:\d{2}:\d{2}\.\d{3}
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...