Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk automatically splits a event into two, beca...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All
I tried a solution suggested online for a similar issue, but it didn't fix the problem
The below extract from the log is a single event
2019-03-26 12:03:28.753 +0000 INFO [zzz] [yyy] [] [] [rrId:] [] Message
----------------------------
ID: 7
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=utf-8
Headers: {Connection=[close], Content-Type=[text/xml;charset=utf-8], Date=[Tue, 26 Mar 2019 12:03:28 GMT],
Show less
but it results like this
2019-03-26 12:03:28.753 +0000 INFO [zzz] [yyy] [] [] [rrId:] [] Message
----------------------------
ID: 7
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=utf-8
In 2 lines
Headers: {Connection=[close], Content-Type=[text/xml;charset=utf-8], Date=[Tue, 26 Mar 2019 12:03:28 GMT],
Show less
We have a cluster environment so I updated the props here - opt/splunk/etc/master-apps/_cluster/local/props.conf with the below
[log4j]
MAX_TIMESTAMP_LOOKAHEAD = 19
I pushed the change to the peers and restarted all the indexers
Any thoughts to fix this issue please?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this for your props.conf (sourcetype definition)
[log4j]
SHOULD_LINEMBER=false
LINE_BREAKER=([\r\n]+)(?=\d{4}-\d{2}-\d{2})
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N %z
MAX_TIMESTAMP_LOOKAHEAD=29
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this for your props.conf (sourcetype definition)
[log4j]
SHOULD_LINEMBER=false
LINE_BREAKER=([\r\n]+)(?=\d{4}-\d{2}-\d{2})
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N %z
MAX_TIMESTAMP_LOOKAHEAD=29
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.
It works partially but creates another issue.
The below shows as one event
2019-04-08 09:51:11.791 +0000 INFO INFO [[zzz] [yyy] [] [] [rrId:] [] Message In
----------------------------
ID: 3
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=utf-8
Headers: {Connection=[close], Content-Type=[text/xml;charset=utf-8], Date=[Mon, 08 Apr 2019 09:51:11 GMT]
But what happens is the next message is also in the same event, which should be a separate event
2019-04-08 09:51:11.727 +0000 INFO [[zzz] [yyy] [] [] [rrId:] [] Message Out
ID: 3
Address: xxxx
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml
Headers: {Accept=[/], Connection=[close], SOAPAction=[""]}
2019-04-08 09:51:11.791 +0000 INFO INFO [[zzz] [yyy] [] [] [rrId:] [] Message In
ID: 3
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=utf-8
Headers: {Connection=[close], Content-Type=[text/xml;charset=utf-8], Date=[Mon, 08 Apr 2019 09:51:11 GMT]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
[log4j]
SHOULD_LINEMBER=false
LINE_BREAKER=([\r\n]+)(?=\s*\d{4}-\d{2}-\d{2}\s*\d+)
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N %z
MAX_TIMESTAMP_LOOKAHEAD=29
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...
