Getting Data In

Time Stamps not seperating

lukeasplunk
Observer

Hello Splunk Community,

Just starting out configuring Splunk and having an issue with my Time Stamps and line Breaks.  Currently Events in the log are using one time stamp seen below in the top left (red).  I want to separate all the events that have all their unique MXT time events (green).  I tried setting sourcetypes to Auto but also believe I need to fix my line breaks and not sure how/where to configure this. Any help is appreciated, thank you.

Example:

10/22/20
3:45:04.000 AM

... 24 lines omitted ...
BLANKUSER  10/16/20 03:10:13 MXT   CMND TSS ADD(XFERER) SUS
BLANKUSER  10/16/20 03:10:13 MXT   CMND TSS ADD(XFDGWR) SUS
BLANKUSER 10/16/20 07:00:07 MXT   CMND TSS CRE(DFETET) NAME('DOE, JOHN') TYPE(USER) DEPT(SA81195) PASS( ,60,EXP) PROFILE(PRO
                                      ADTCS)
BLANKUSER  10/16/20 07:00:08 MXT   CMND TSS ADD(EREFETE) DSNAME(DRERER.)
Labels (1)
0 Karma

lukeasplunk
Observer

Yes each event any time there is a new MXT time should be a separate event.  I recently changed the host settings to constant value from regex value. I think I need to fix the event breaks so it doesnt think the entire file is one event.  See the default for props.conf below:

 

[default]
CHARSET = AUTO
LINE_BREAKER_LOOKBEHIND = 100
TRUNCATE = 10000
DATETIME_CONFIG = \etc\datetime.xml
ADD_EXTRA_TIME_FIELDS = True
ANNOTATE_PUNCT = True
HEADER_MODE =
MATCH_LIMIT = 100000
DEPTH_LIMIT = 1000
MAX_DAYS_HENCE=2
MAX_DAYS_AGO=2000
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
MAX_TIMESTAMP_LOOKAHEAD = 128
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
MAX_EVENTS = 256
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
TRANSFORMS =
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
LEARN_SOURCETYPE = true
LEARN_MODEL = true
maxDist = 100
AUTO_KV_JSON = true
detect_trailing_nulls = auto
sourcetype =
priority =

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you saying each event should have the MXT time as _time or the timestamp at the top of the file?

Is each line a separate event?  If not, what designates a new event?

Can you share your current props.conf for this sourcetype, please?

---
If this reply helps you, Karma would be appreciated.
0 Karma

lukeasplunk
Observer

See above response

0 Karma
Get Updates on the Splunk Community!

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...