Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time stamp is not being recognized

smudge797
Path Finder
‎03-20-2014 02:19 AM

The logs below are a sample and splunk seems to deal with them most of the time, occasionally Im seeing the logs merged together and breaking at the --EOR-- point. Recommended settings for props.conf please! Any assistance greatly appreciated, thanks.

2014-03-17T12:27:23.828 SourceName=myweb5551-com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager, EventCode=100, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Thread=com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager ManagerThread
Message=[com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager ManagerThread is running]
--EOR--
2014-03-17T12:27:24.203 SourceName=myweb5551-com.mysite.e3.platform.foundation.core.monitoring.MonitorCounters.Internal, EventCode=101, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Activity_Name=MonitorCounter, Activity_Id=3702d9de-0d8b-4a57-b37a-eb96e925b07e, Originator_Activity_Id=3702d9de-0d8b-4a57-b37a-eb96e925b07e, Thread=MonitorCounter
Message=[Initialized. beanUpdate = 5 sec; logUpdate = 300seconds.]
--EOR--
2014-03-17T12:27:37.344 SourceName=myweb5551-com.mysite.e3.platform.foundation.serialization.jaxbri.JaxbSerializer, EventCode=1000, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Activity_Name=openBeanFactory, Activity_Id=5f2ab137-c55f-4b97-ad09-d5fc25aea897, s.search.defn.v4:com.mysite.s3.cars.messages.getchangedetail.defn.v1:com.mysite.s3.cars.messages.location.search.defn.v1 in 11024 millis.]
--EOR--

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lcrielaa
Communicator
‎03-20-2014 03:48 AM 
BREAK_ONLY_BEFORE=\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}
SHOULD_LINEMERGE=true

This should break the event before the next timestamp, which is effectively at the after the --EOR-- mark. Your event will thus run from the timestamp up to (and including) the --EOR--.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎03-20-2014 03:51 AM

[source::.../mylogs/*.log]
BREAK_ONLY_BEFORE_DATE = true

should work. You need not add anything, check and let us know

0 Karma
Reply
Solved! Jump to solution
Solution

lcrielaa
Communicator
‎03-20-2014 03:48 AM 
BREAK_ONLY_BEFORE=\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}
SHOULD_LINEMERGE=true

This should break the event before the next timestamp, which is effectively at the after the --EOR-- mark. Your event will thus run from the timestamp up to (and including) the --EOR--.

0 Karma
Reply
Solved! Jump to solution

smudge797
Path Finder
‎03-20-2014 06:11 AM

Looks great thanks!

0 Karma
Reply
Solved! Jump to solution

smudge797
Path Finder
‎03-20-2014 02:56 AM

The end of each event is the --EOR-- The start is the date time

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎03-20-2014 02:44 AM

where do you want it to break?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...