Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are my events not splitting correctly by timestamp?

yqifan83
New Member
‎12-01-2016 07:08 AM

My props.conf has:

TZ=UTC
TRUNCATE = 0
BREAK_ONLY_BEFORE_DATE = true
TIME_FORMAT = %d%b%Y_%H:%M:%S.%3N
MAX_DAYS_HENCE = 5
MAX_TIMESTAMP_LOOKAHEAD = 24
SHOULD_LINEMERGE = true

My events are like this:

01DEC2016_09:28:00.873 INFO [machine] 348 GMT2016-12-01T09:28:00.792Z (78 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 initialize storage: 
{
    "toastPosition": {
        "x": 400,
        "y": 0
    },
    "toastListSize": {
        "width": 600,
        "height": 190
    },
    "toastPageSize": {
        "width": 300,
        "height": 230
    },
    "columnSizes": {
        "selectedColumnWidth": 30,
        "timestampColumnWidth": 70,
        "dealcodeColumnWidth": 65,
        "aliasColumnWidth": 65,
        "firmnameColumnWidth": 200
    },
    "windowId": "5a2bbf703d160d47bdd7af216868aa40",
    "feedSettings": {
        "showFeed": false,
        "feedFilter": 1,
        "feedWeight": 0.3,
        "feedColPosition": 0.32
    },
    "soundSetting": {
        "customSounds": [],
        "postSound": "Default Sound for New Text",
        "toastSound": "Default Sound for New Toast"
    }
}

01DEC2016_09:28:00.876 INFO [machine] 348 GMT2016-12-01T09:28:00.792Z (81 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 start logging on to IBD2 in main with args: 
{}

01DEC2016_09:28:01.689 INFO [machine] 348 GMT2016-12-01T09:28:01.686Z [uuid] 17662753 [firm] 9001 [sn] 290501 "machine type: ucbr: 2 fxibdsrv: 2 fxibdqsc: 2"

01DEC2016_09:28:01.833 INFO [machine] 348 GMT2016-12-01T09:28:01.728Z (102 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 worker signOn Response: 
{
    "machineType": 2,
    "machineTypeFxibdsvc": 2,
    "machineTypeFxibdqsc": 2,
    "fxaxUser": {
        "uuid": 17662753,
        "dealCode": "BGEU",
        "userNum": 16733059,
        "userCustNum": 6618,
        "firstName": "VINCENT VON",
        "lastName": "ROTZ",
        "fullName": "VINCENT VON ROTZ",
        "isDemo": false,
        "isTest": true,
        "isBbg": true,
        "isBba": true
    },
    "fxpvDealingCode": {
        "bankNumber": 31,
        "firmNumber": 9001,
        "primaryIdentifier": 1,
        "secondaryIdentifier": 3,
        "tertiaryIdentifier": 0,
        "quaternaryIdentifier": 0,
        "streamingName": 1010532,
        "optionsName": 1010532,
        "disclaimer": 1015148,
        "streamingLogo": 31100137,
        "optionsLogo": 41941229,
        "dealingCode": "BGEU",
        "companyName": "BLOOMBERG FX LONDON",
        "active": 1,
        "optionsUsesQuoteEngine": false,
        "enfb_id": "521cce1e1b1c0000",
        "rfqUsesQuoteEngine": false,
        "isBbg": true,
        "isTest": true
    },
    "isTradingEnabled": true,
    "isTeamLead": false,
    "isGrabChatEnabled": false,
    "settings": {
        "enable_toast": true,
        "enable_ib_parsing": false,
        "ibd_textflow_input_rows_expand": 3,
        "ibd_textflow_input_rows_collapse": 2,
        "alias": "",
        "font_size": 14,
        "bring_msg_to_front": false,
        "flash_win_toolbar": false,
        "autostart": false,
        "enable_keyboard_navigation": false,
        "show_pending_requests": false,
        "use_bloomberg_name": true,
        "launch_cnf_on_capture": true,
        "launch_cnf_on_end": false,
        "flash_rqst_or_chat": true,
        "auto_expand": false,
        "use_above_below": false,
        "start_ibd_instead_of_ib_from_tickets": false,
        "focus_on_ack": false,
        "use_all_in_as_ref": false,
        "play_sound_until_picked_up": false,
        "play_sound_for_toast": true,
        "play_sound_on_new_text": true,
        "flash_my_rqsts_tab": false,
        "flash_monitored_tab": false
    },
    "isClassic": true,
    "tcnfEnabled": true
}

01DEC2016_09:28:02.473 INFO [machine] 348 GMT2016-12-01T09:28:02.414Z (56 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 sessionInit success. [accountUrn:] urn:fb-ib-bloomberg-net:BGEU:in=f  [sessionId:] d83fed2195cc0006  [identityUrn:] urn:identity-ib-bloomberg-net:1:0:urn%3Afb-ib-bloomberg-net%3ABGEU%3Ain%3Df:uuid%3D17662753

01DEC2016_09:28:02.533 INFO [machine] 348 GMT2016-12-01T09:28:02.477Z (52 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 sessionInit success. [accountUrn:] urn:fb-ib-bloomberg-net:BGEU:in=t  [sessionId:] d83fed2195cc0005  [identityUrn:] urn:identity-ib-bloomberg-net:1:0:urn%3Afb-ib-bloomberg-net%3ABGEU%3Ain%3Dt:uuid%3D17662753

01DEC2016_09:28:02.893 INFO [machine] 348 GMT2016-12-01T09:28:02.820Z (70 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 successfully logged on to IBD2.

01DEC2016_09:28:02.894 INFO [machine] 348 GMT2016-12-01T09:28:02.820Z (70 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 hide IBD for user

01DEC2016_09:28:02.914 INFO [machine] 348 GMT2016-12-01T09:28:02.836Z (75 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 sending fxibdbus subscription: 
{
    "uuid": 17662753,
    "FxEnvironment": 2
}

01DEC2016_09:28:02.914 INFO [machine] 348 GMT2016-12-01T09:28:02.836Z (74 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 fxibdbus eventHandler, eventType: SERVICEOPEN_RESULT

01DEC2016_09:28:02.914 INFO [machine] 348 GMT2016-12-01T09:28:02.836Z (76 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 fxibdbus eventHandler, eventType: CONNECTED

01DEC2016_09:28:04.114 INFO [machine] 348 GMT2016-12-01T09:28:04.014Z (97 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 fxibdbus eventHandler, eventType: SUBSCRIPTION_RESULT

They are presented in Splunk as one event. But I would like to break them by timestamp.
Why has this happened? How to fix this problem?

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-01-2016 08:37 AM

Did you try, SHOULD_LINEMERGE = false ?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-01-2016 08:41 AM

Also did you try, without the MAX_DAYS_HENCE ?!?!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
Top