Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Incorrect Timestamp carried from previous events

nareshinsvu
Builder
‎03-17-2019 05:13 PM

Hello Experts,

I am indexing data from a shared file. I have below config in my props.conf. Some of the lines from my inout log file doesn't have timestamp. So, All those events are getting timestamp from previous events read by Splunk.

Using this config, I am getting irregular timestamps captured. Any advice to fix this is much appreciated.

[Custom_W22]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d_%H:%M:%S.%3N
TIME_PREFIX = ^
TRANSFORMS-set = discardAll,queue2resp,index2resp
category = Custom
disabled = false
pulldown_type = 1

Example from log:
2019-02-20_03:30:02.333 - Line-1
2019-02-20_03:30:02.349 - Line-2
2019-02-20_03:30:02.364 - Line-3
2019-02-20_03:30:02.380 - Line-4
- Line-5
2019-02-20_03:30:02.427 - Line-6

Expected Output: Line-5 should have the timestamp of either Line-6 or Line-4. But it is going out of these bounds and showing different timestamps for few lines. Any help please?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 06:14 AM

Splunk makes an assumption (which is generally sensible) that all log lines from the same file, are from the same sourcetype.

Your props.conf example, defines a sourcetype which has the configuration also listed above.
Splunk therefore expects every event in that file to follow a standard format - in your case this says that an event ALWAYS starts with a date (from your TIME_PREFIX=^ configuration)

You also have SHOULD_LINEMERGE = false which means treat every line as a seperate event, but since Line 5 has no date, it cant be matched correctly, and probably instead using the index time.

You may want to consider if you should 'merge' these lines, or use a different line breaking process (see: https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configureeventlinebreaking)

or
Get these events into a different sourcetype by re-writing the sourcetype as you index them: https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Advancedsourcetypeoverrides

or
by getting them into a different source file (preferable IMHO)

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-18-2019 06:14 AM

Splunk makes an assumption (which is generally sensible) that all log lines from the same file, are from the same sourcetype.

Your props.conf example, defines a sourcetype which has the configuration also listed above.
Splunk therefore expects every event in that file to follow a standard format - in your case this says that an event ALWAYS starts with a date (from your TIME_PREFIX=^ configuration)

You also have SHOULD_LINEMERGE = false which means treat every line as a seperate event, but since Line 5 has no date, it cant be matched correctly, and probably instead using the index time.

You may want to consider if you should 'merge' these lines, or use a different line breaking process (see: https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configureeventlinebreaking)

or
Get these events into a different sourcetype by re-writing the sourcetype as you index them: https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Advancedsourcetypeoverrides

or
by getting them into a different source file (preferable IMHO)

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎03-26-2019 08:14 PM

It worked when I redirected to a different sourcetype turning on the SHOULD_LINEMERGE . Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...