Log that has wildly different times, but Splunk th...

benchen421 · ‎09-12-2017

It recognizes the datetime correctly based on the first line, but it seems to randomly be grouping up lines.

Example log that has wildly different times, but Splunk thinks is a single event

[INFO][DesDycrptor][20170911-19:55:46.798] Decrypting file: equity_option_open_uf.dif.gz.enc.20170911
[INFO][DesDycrptor][20170911-19:55:46.800] Unzipping file: equity_option_open_uf.dif.gz
[INFO][S3Client][20170911-19:55:46.803] Copying file: /tmp/###############-7351797381042467611/equity_option_open_uf.dif to s3 bucket: ###################### key: ##########/#######/2017/09/11/equity_option_open_uf.dif.20170911.

gcusello · ‎09-12-2017

Hi benchen421,
Could you share your props.conf file?
Anyway, in props.conf you should have one of the following configurations:

[your_sourcetype]
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y%m%d-%H:%M:%S.%3N
TIME_PREFIX = \[\w+\]\[\w+\]\[
MAX_TIMESTAMP_LOOKAHEAD = 21

[your_sourcetype]
SHOULD_LINEMERGE = true
LINE_BREAKER = \[\w+\]\[\w+\]
TIME_FORMAT = %Y%m%d-%H:%M:%S.%3N
TIME_PREFIX = \[\w+\]\[\w+\]\[
MAX_TIMESTAMP_LOOKAHEAD = 21

Bye.
Giuseppe

DalJeanis · ‎09-12-2017

@benchen421 - Please post the relevant .conf stanzas

benchen421 · ‎09-13-2017

Hi! Apologies, I should've been clearer. This is an initial POC build and it was all stock configs

Log that has wildly different times, but Splunk thinks it is a single event

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation