Solved: Re: Time stamp is not being recognized

smudge797 · ‎03-20-2014

The logs below are a sample and splunk seems to deal with them most of the time, occasionally Im seeing the logs merged together and breaking at the --EOR-- point. Recommended settings for props.conf please! Any assistance greatly appreciated, thanks.

2014-03-17T12:27:23.828 SourceName=myweb5551-com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager, EventCode=100, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Thread=com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager ManagerThread
Message=[com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager ManagerThread is running]
--EOR--
2014-03-17T12:27:24.203 SourceName=myweb5551-com.mysite.e3.platform.foundation.core.monitoring.MonitorCounters.Internal, EventCode=101, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Activity_Name=MonitorCounter, Activity_Id=3702d9de-0d8b-4a57-b37a-eb96e925b07e, Originator_Activity_Id=3702d9de-0d8b-4a57-b37a-eb96e925b07e, Thread=MonitorCounter
Message=[Initialized. beanUpdate = 5 sec; logUpdate = 300seconds.]
--EOR--
2014-03-17T12:27:37.344 SourceName=myweb5551-com.mysite.e3.platform.foundation.serialization.jaxbri.JaxbSerializer, EventCode=1000, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Activity_Name=openBeanFactory, Activity_Id=5f2ab137-c55f-4b97-ad09-d5fc25aea897, s.search.defn.v4:com.mysite.s3.cars.messages.getchangedetail.defn.v1:com.mysite.s3.cars.messages.location.search.defn.v1 in 11024 millis.]
--EOR--

lcrielaa · ‎03-20-2014

BREAK_ONLY_BEFORE=\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}
SHOULD_LINEMERGE=true

This should break the event before the next timestamp, which is effectively at the after the --EOR-- mark. Your event will thus run from the timestamp up to (and including) the --EOR--.

View solution in original post

linu1988 · ‎03-20-2014

[source::.../mylogs/*.log]
BREAK_ONLY_BEFORE_DATE = true

should work. You need not add anything, check and let us know

lcrielaa · ‎03-20-2014

BREAK_ONLY_BEFORE=\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}
SHOULD_LINEMERGE=true

This should break the event before the next timestamp, which is effectively at the after the --EOR-- mark. Your event will thus run from the timestamp up to (and including) the --EOR--.

smudge797 · ‎03-20-2014

Looks great thanks!

smudge797 · ‎03-20-2014

The end of each event is the --EOR-- The start is the date time

linu1988 · ‎03-20-2014

where do you want it to break?

Time stamp is not being recognized

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation