Log that has wildly different times, but Splunk th...

benchen421 · ‎09-12-2017

It recognizes the datetime correctly based on the first line, but it seems to randomly be grouping up lines.

Example log that has wildly different times, but Splunk thinks is a single event

[INFO][DesDycrptor][20170911-19:55:46.798] Decrypting file: equity_option_open_uf.dif.gz.enc.20170911
[INFO][DesDycrptor][20170911-19:55:46.800] Unzipping file: equity_option_open_uf.dif.gz
[INFO][S3Client][20170911-19:55:46.803] Copying file: /tmp/###############-7351797381042467611/equity_option_open_uf.dif to s3 bucket: ###################### key: ##########/#######/2017/09/11/equity_option_open_uf.dif.20170911.

gcusello · ‎09-12-2017

Hi benchen421,
Could you share your props.conf file?
Anyway, in props.conf you should have one of the following configurations:

[your_sourcetype]
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y%m%d-%H:%M:%S.%3N
TIME_PREFIX = \[\w+\]\[\w+\]\[
MAX_TIMESTAMP_LOOKAHEAD = 21

[your_sourcetype]
SHOULD_LINEMERGE = true
LINE_BREAKER = \[\w+\]\[\w+\]
TIME_FORMAT = %Y%m%d-%H:%M:%S.%3N
TIME_PREFIX = \[\w+\]\[\w+\]\[
MAX_TIMESTAMP_LOOKAHEAD = 21

Bye.
Giuseppe

DalJeanis · ‎09-12-2017

@benchen421 - Please post the relevant .conf stanzas

benchen421 · ‎09-13-2017

Hi! Apologies, I should've been clearer. This is an initial POC build and it was all stock configs

Log that has wildly different times, but Splunk thinks it is a single event

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!