We are having problems parsing lines with timestamps at the beginning of the line but then there are other fields that are also dates.

We are using Splunk 6.4.2 by the way and MOST of the time the lines are parsed correctly but not every time.

Here's a sample event line

2016-10-28 00:11:28 Foo table info: table = MyTable, baselineDate = 2016-10-27 23:00:00, baselineOldDate = 2016-10-26 23:00:00, baselineSize = 596503557, baselineOldSize = 596446556, frequency = 1 day, 0:00:00, previousDate = 2016-10-27 19:00:00, penultimateDate = 2016-10-26 19:00:00,

And here is the sourcetype definition on the indexers

SHOULD_LINEMERGE        = True
TIME_PREFIX             = ^
TIME_FORMAT             = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
LINE_BREAKER            =  ([\r\n]+)
TRUNCATE                =  10000
BREAK_ONLY_BEFORE       = ^\d\d\d\d-\d+-\d+\s+\d\d:\d\d:\d\d
NO_BINARY_CHECK         = True
TZ                      = UTC

The source is:

2016-10-28 00:11:28 Foo table info: table = MyTable, baselineDate = 2016-10-27 23:00:00, baselineOldDate = 2016-10-26 23:00:00, baselineSize = 596503557, baselineOldSize = 596446556, frequency = 1 day, 0:00:00, previousDate = **2016-10-27 19:00:00**, penultimateDate = 2016-10-26 19:00:00,

What happens is that I occasionally get two events instead of one for that line

2016-10-28 00:11:28 Foo table info: table = MyTable, baselineDate = 2016-10-27 23:00:00, baselineOldDate = 2016-10-26 23:00:00, baselineSize = 596503557, baselineOldSize = 596446556, frequency = 1 day, 0:00:00, previousDate = 2016-10-27 19

0, penultimateDate = 2016-10-21 00:00:00,

So what is happening is that most comes through but starting at previousDate = 2016-10-27 19:00:00 this is split and we only get up to "19" on one line and then the next event starts with a zero. So Splunk is splitting the line.

Any refinements on my sourcetype?