Getting Data In

How to fix time_format in props.conf to properly line break?

Communicator

Hi

somehow the date is not being picked up properly by splunk.
the props.conf has %d/%H:%M:%S.3N but its not working..
Any thoughts on this?

[ SOURCETYPE]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_FORMAT=%D/%H:%M:%S.3N
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=25



28/07:50:42.064 (0a98/0f38/8bea) Dump-Req: Message 'poll' (678 byte) from 1(albin) ---> 6(email) [s593411-t661514]
    28/07:50:42.064 (07f4/067c/8bea) Email/MbParametersGet  Parameters >IMAP< >imap.tent.trt.csaa.pri:143< Tls >NO<
    28/07:50:42.064 (07f4/067c/8bea) Email/MbParametersGet called, MaxRequested >1< ConfirmTimeout >600<
    28/07:50:42.064 (07f4/067c/8bea) Email/MbParametersGet  bKeepOnServer >1< Folders: >KofaxProcessed< >Rejected<
    28/07:50:42.064 (07f4/067c/8bea) Email/MbParametersGet  ImapMode >MultiInstance<, TestMode >0<
    28/07:50:42.189 (07f4/14c0/8be9) Email/fnMbPoll returns
    28/07:50:42.189 (0a98/1f9c/8be9) Dump-Rsp: Message 'poll-res' (291 byte) from 6(email) ---> 1(albin) [s593410-t661513]
    28/07:50:42.189 (0a98/1f9c/8be9) Connection has been disconnected by target 6(email). (State=0/4)
    28/07:50:42.220 (0a98/19f0/8beb) Dump-Req: Message 'poll' (634 byte) from 1(albin) ---> 6(email) [s593412-t661515]
    28/07:50:42.220 (0a98/1328/8bec) Dump-Req: Message 'poll' (637 byte) from 1(albin) ---> 6(email) [s593413-t661516]
    28/07:50:42.220 (07f4/154c/8beb) Email/MbParametersGet  Parameters >IMAP< >imap.tent.trt.csaa.pri:143< Tls >NO<
    28/07:50:42.220 (07f4/154c/8beb) Email/MbParametersGet called, MaxRequested >1< ConfirmTimeout >600<
    28/07:50:42.220 (07f4/154c/8beb) Email/MbParametersGet  bKeepOnServer >0< Folders: >Processed< >Rejected<
    28/07:50:42.220 (07f4/154c/8beb) Email/MbParametersGet  ImapMode >MultiInstance<, TestMode >0<
    28/07:50:42.220 (07f4/18b4/8bec) Email/MbParametersGet  Parameters >IMAP< >imap.tent.trt.csaa.pri:143< Tls >NO<
    28/07:50:42.220 (07f4/18b4/8bec) Email/MbParametersGet called, MaxRequested >1< ConfirmTimeout >600<
    28/07:50:42.220 (07f4/18b4/8bec) Email/MbParametersGet  bKeepOnServer >0< Folders: >Processed< >Rejected<
    28/07:50:42.220 (07f4/18b4/8bec) Email/MbParametersGet  ImapMode >MultiInstance<, TestMode >0<
    28/07:50:42.298 (07f4/067c/8bea) Email/fnMbPoll returns
    28/07:50:42.298 (0a98/0f38/8bea) Dump-Rsp: Message 'poll-res' (291 byte) from 6(email) ---> 1(albin) [s593411-t661514]
    28/07:50:42.298 (0a98/0f38/8bea) Connection has been disconnected by target 6(email). (State=0/4)
    28/07:50:42.439 (07f4/154c/8beb) Email/fnMbPoll returns
    28/07:50:42.439 (0a98/19f0/8beb) Dump-Rsp: Message 'poll-res' (291 byte) from 6(email) ---> 1(albin) [s593412-t661515]
    28/07:50:42.439 (0a98/19f0/8beb) Connection has been disconnected by target 6(email). (State=0/4)
    28/07:50:42.470 (07f4/18b4/8bec) Email/fnMbPoll returns
    28/07:50:42.470 (0a98/1328/8bec) Dump-Rsp: Message 'poll-res' (291 byte) from 6(email) ---> 1(albin) [s593413-t661516]
    28/07:50:42.470 (0a98/1328/8bec) Connection has been disconnected by target 6(email). (State=0/4)
    28/07:50:42.704 (0a98/101c/8bed) Dump-Req: Message 'poll' (679 byte) from 1(albin) ---> 6(email) [s593414-t661517]
    28/07:50:42.704 (07f4/08b4/8bed) Email/MbParametersGet  Parameters >IMAP< >imap.tent.trt.csaa.pri:143< Tls >NO<
    28/07:50:42.704 (07f4/08b4/8bed) Email/MbParametersGet called, MaxRequested >1< ConfirmTimeout >600<
    28/07:50:42.704 (07f4/08b4/8bed) Email/MbParametersGet  bKeepOnServer >1< Folders: >KofaxProcessed< >Rejected<
    28/07:50:42.704 (07f4/08b4/8bed) Email/MbParametersGet  ImapMode >MultiInstance<, TestMode >0<
    28/07:50:42.735 (0a98/186c/8bee) Dump-Req: Message 'poll' (636 byte) from 1(albin) ---> 6(email) [s593415-t661518]
    28/07:50:42.735 (07f4/07c0/8bee) Email/MbParametersGet  Parameters >IMAP< >imap.tent.trt.csaa.pri:143< Tls >NO<
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this for your props.conf
fixed typo in line breaker

[SOURCETYPE]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)(?=\d+\/\d+\:\d+\:\d+)
TIME_FORMAT=%d/%H:%M:%S.%3N
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=15

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this for your props.conf
fixed typo in line breaker

[SOURCETYPE]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)(?=\d+\/\d+\:\d+\:\d+)
TIME_FORMAT=%d/%H:%M:%S.%3N
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=15

View solution in original post

0 Karma

Communicator

@somesoni2

Thanks for the reply, some how its still now working on this one

21/14:39:43.571 (1ea8/1ecc/1a54) {"BlobManServer"}   Deletion of files for blob c37a18fb-8e6c-4994-8cbd-e21c43b9af93 deferred due to 1 additional references
21/14:39:43.571 (1ea8/1ecc/1a54) {"BlobManServer"} Process 19:REL_BLOB_MESSAGE(MsgId=136222) 1/43 released
21/14:39:43.571 (1ea8/1ecc/1a54) {"BlobManServer"} Process 19:ADD_BLOB_REF_MSG(c37a18fb-8e6c-4994-8cbd-e21c43b9af93, size=18544, MsgId=136224)
21/14:39:43.571 (1ea8/1ecc/1a54) {"BlobManServer"}   Deletion of files for blob c37a18fb-8e6c-4994-8cbd-e21c43b9af93 deferred due to 1 additional references
21/14:39:43.571 (1ea8/1ecc/1a54) {"BlobManServer"} Process 19:REL_BLOB_MESSAGE(MsgId=136223) 1/43 released
21/14:39:43.571 (180c/1bf0/1a54) {"XmlParser" 0x13178f8} BlobControl: Move ownership started - from me(MsgID=136224) to recieving-msg (forwd=0)
21/14:39:43.571 (1ea8/05f4/1a54) {"XmlParser" 0x2e87748} Got Blob Control Block(MsgId=136224, CompId=19)
21/14:39:43.571 (1ea8/05f4/1a54) Dump-Rsp: Message 'ViewMessageResponse' (1548 byte) from 19(tsl) ---> 15(http) [s167809-t992055]
21/14:39:43.571 (1ea8/05f4/1a54) {"XmlParser" 0x2e87748} BlobControl: Move ownership started - from me(MsgID=0) to recieving-msg (forwd=1)
21/14:39:43.571 (1ea8/05f4/1a54) Connection has been disconnected by target 19(tsl). (State=0/4)
21/14:39:43.571 (1bb0/0704/1a54) {"XmlParser" 0x1c6727c} Got Blob Control Block(MsgId=136224, CompId=19)
21/14:39:43.571 (1ea8/1ecc/1a54) {"BlobManServer"}   Blob file KofaxMerlinBlobFile_c37a18fb-8e6c-4994-8cbd-e21c43b9af93.TIF deleted
21/14:39:43.571 (1ea8/1ecc/1a54) {"BlobManServer"}   Deleted 1 files for blob c37a18fb-8e6c-4994-
0 Karma

SplunkTrust
SplunkTrust

Oops .... There was a typo in line breaker. Try the updated answer.

0 Karma