I have a logfile whose events are not being broken up in Splunk. Here are the two separate events that are being shown together in Splunk console.
16:45:12,772 INFO> intro_response.pl:549 main:: - Batch AAAIE120809004119P03 successfully transferred to staging server.
16:45:12,774 INFO> intro_response.pl:568 main:: - account=act,program=932,admin=opsprg12,pgmssn=932-574,wfstate='BATCH_PUBLISHED',subject=Math,grade=11,error_code='',msg='Batch published to ePEN',batchnum=AAAIE120809004119P03,batch_count=5
Here's the configuration I have in props.conf for this logfile -
TIME_FORMAT = %H:%i:%s
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = \d+:\d+:\d+\,\d+
MAX_EVENTS = 2000
This configuration was working fine earlier but it stopped working for some reason this week. Any help on this would be greatly appreciated.
Sorry, but what is %i in TIME_FORMAT? Don't you think that %M would be more correct? Or even:
TIME_FORMAT=%H:%M:%S,%3N
which would let you capture the milliseconds as well.
Since you have SHOULD_LINEMERGE=false, that implies that Splunk is not seeing your line break character properly. The BREAK_ONLY_BEFORE is not used when SHOULD_LINEMERGE=false. And MAX_EVENTS should be removed - MAX_EVENTS is the maximum number of lines per event - when you set SHOULD_LINEMERGE=false, that is irrelevant because an event can have only one line.
From Configure event linebreaking:
"Splunk determines event boundaries in two steps:
So this is the default:
LINE_BREAKER=[\r\n]+
Is it possible that your line is actually separated by different characters in the log? Or, try this explicitly
TIME_FORMAT = %H:%i:%s
SHOULD_LINEMERGE = false
LINE_BREAKER=[\r\n]+
Give this a shot...
TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=8
BREAK_ONLY_BEFORE=^/d{2}/:/d{2}/:/d{2}
Thank you kbecker for your response. Just tried your suggestion. No luck though. I am still seeing separate events getting bundled up.