Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Time Stamps not seperating

lukeasplunk
Observer
‎10-22-2020 12:52 PM

Hello Splunk Community,

Just starting out configuring Splunk and having an issue with my Time Stamps and line Breaks.  Currently Events in the log are using one time stamp seen below in the top left (red).  I want to separate all the events that have all their unique MXT time events (green).  I tried setting sourcetypes to Auto but also believe I need to fix my line breaks and not sure how/where to configure this. Any help is appreciated, thank you.

Example:

10/22/20
3:45:04.000 AM

... 24 lines omitted ...
BLANKUSER  10/16/20 03:10:13 MXT   CMND TSS ADD(XFERER) SUS
BLANKUSER  10/16/20 03:10:13 MXT   CMND TSS ADD(XFDGWR) SUS
BLANKUSER 10/16/20 07:00:07 MXT   CMND TSS CRE(DFETET) NAME('DOE, JOHN') TYPE(USER) DEPT(SA81195) PASS( ,60,EXP) PROFILE(PRO
                                      ADTCS)
BLANKUSER  10/16/20 07:00:08 MXT   CMND TSS ADD(EREFETE) DSNAME(DRERER.)
Labels (1)
Labels
0 Karma
Reply

lukeasplunk
Observer
‎10-29-2020 10:51 AM

Yes each event any time there is a new MXT time should be a separate event.  I recently changed the host settings to constant value from regex value. I think I need to fix the event breaks so it doesnt think the entire file is one event.  See the default for props.conf below:

 

[default]
CHARSET = AUTO
LINE_BREAKER_LOOKBEHIND = 100
TRUNCATE = 10000
DATETIME_CONFIG = \etc\datetime.xml
ADD_EXTRA_TIME_FIELDS = True
ANNOTATE_PUNCT = True
HEADER_MODE =
MATCH_LIMIT = 100000
DEPTH_LIMIT = 1000
MAX_DAYS_HENCE=2
MAX_DAYS_AGO=2000
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
MAX_TIMESTAMP_LOOKAHEAD = 128
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
MAX_EVENTS = 256
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
TRANSFORMS =
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
LEARN_SOURCETYPE = true
LEARN_MODEL = true
maxDist = 100
AUTO_KV_JSON = true
detect_trailing_nulls = auto
sourcetype =
priority =

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2020 01:17 PM

Are you saying each event should have the MXT time as _time or the timestamp at the top of the file?

Is each line a separate event?  If not, what designates a new event?

Can you share your current props.conf for this sourcetype, please?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lukeasplunk
Observer
‎11-05-2020 09:55 AM

See above response

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...