Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Logs are getting truncated after the forwarding ha...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The data in event 1 is incomplete and the rest of it is getting populated into event2 and so on .
If i am not wrong , i should break the line with the pattern example 2019-08-21T01:41:49.115-0500 INFO , 2019-08-21T01:12:53.584-0500 INFO
.Please correct me if i am wrong.
Or if there is any suggestion I am open for it.
event1
*2019-08-21T01:41:49.115-0500 INFO * 4227528 com.l7tech.log.custom.splunk.audits.log: -4: UNIQ_ID=20190821014149112000ded8-add8d3a | DOMAIN=prd| HOST=1.5.43 | TRANS_ID=0000b8dc4ded8-add8d34 | ClIENT_IP=174.24.7.5 | HTTP_METHOD=POST | API_KEY= | USERNAME= | THUMBPRINT= | VERSION= | TOKEN_IN=eyJ0eXAiOiJKV1QiLCJDLUhTMjU2In0..UjpmXVx78UWFhn2bPKC-6A.GYpHe9T_r0qkN7AYFdl36vJ7FgT7wWCdyo0WdefoO_uylQn50f5rQ6Z7fSFH1bO2uCt.KSJgQKyu4vrAjadR_gmQYA | TOKEN_OUT= | CLIENT_CERT= | UTC_ENTRY=2019-08-21T06:41:49.009Z | UTC_EXIT=2019-08-21T06:41:49.109Z | OVERALL_LATENCY=100 | HTTP_EPAT_CODE= | HTTP_GUA_CODE= | HTTP_TCU_CODE= | HTTP_BACKEND_CODE=200 | RESPONSE_ERROR_CODE=0 | }} | RESPONSE_PAYLOAD={
"response" :
"responseCode" : 2000,
"responseDescription" : "Success",
"responseStatus" : "SUCCESS"
"header" :
"sourceName" : "android",
"transactionId" : "11876293482790932490877227828", incomplete*
event 2
"transactionId" : "1566367971_176699920"
} | RESPONSE_PAYLOAD={"response":{"responseCode":2000,"responseDescription":"Success","responseStatus":"SUCCESS"}}
*2019-08-21T01:12:53.584-0500 INFO * 5999 com.l7tech.log.custom.splunk.audits.log: -4: UNIQ_ID=201908210112535800000016b8daeab36-ae0accf |METHOD=GET | API_KEY= | USERNAME=C=US, ST=Georgia, L=Atlanta, O=hum, OU=33bfb1c1b2adc3b2, CN=1-1QSEZ50 | THUMBPRINT=FgjXxqpgtzeLzjMxtoQ5yco= | VERSION= | 9vtQVQQXQo08MQUHtJvKuqiT82hKHbV6CZ-| UTC_EXIT=2019-08-21T06:12:53.569Z | OVERALL_LATENCY=86 | HTTP_EPAT_CODE= | HTTP_GUA_CODE= | HTTP_TCU_CODE= | HTTP_BACKEND_CODE= | RESPONSE_ERROR_CODE=0 | RESPONSE_HTTP_CODE= | STATUS_MESSAGE=Message processed successfully | USERID=1-1QSEZ50 | OAM_CODES= | BACKEND= | BACKEND_LATENCY=73 | TYPE=AUDIT | UPGRADE_STATUS=| REQUEST_PAYLOAD=28adca:1812189:HTTP/1.1TEXT24.211.102.17400
"httpHeaders":
"APIKey": "2683853a11455c990",
"AppSystem": "android",
"AppVersion": "6.072.1933.26",
"Authorization" : "**",
"OSVersion": "9"
/data/websocket/request | RESPONSE_PAYLOAD= *incomplete**
Can anyone help me on this ?
Props:
[sourcetype]
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX = ^
disabled = false
pulldown_type = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try these props.conf settings:
[sourcetype]
KV_MODE = none
LINE_BREAKER = ([\r\n]+)\d{4}-\d\d
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z
disabled = false
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try these props.conf settings:
[sourcetype]
KV_MODE = none
LINE_BREAKER = ([\r\n]+)\d{4}-\d\d
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z
disabled = false
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks rich,
Worked fine for me .
Splunk Search APIを使えば調査過程が残せます
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
