Getting Data In
Highlighted

Why is Splunk removing timestamps from different events that occurred at the same time?

New Member

Hi,

The events displayed in Splunk Web seems to miss the Timestamp on events that have the same timestamp.
Please see the data below for details.

For example:
In my log file I can see 3 entries as follows:

18:24:21.809 582   Event1 - Logging Event 1
18:24:21.809 582   Event2 - Logging Event 2
18:24:21.809 582   Event3 - Logging Event 3

But in Splunk Web I see the following:

Event3 - Logging Event 3
Event2 - Logging Event 2
18:24:21.809 582   Event1 - Logging Event 1

It does seem like its stripping off the timestamps on events.

Can you please let me know how to fix this?

Props.conf:

SHOULD_LINEMERGE = false
LINE_BREAKER = (([\r\n]+)(\d{2}:\d{2}:\d{2}.\d{3})) | (([\r\n]+)(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}))
TZ = UTC
DATETIME_CONFIG = /etc/customDatetime.xml

customDatetime.xml

<datetime>
        <define name="_fromat1" extract="hour, minute, second, subsecond">
                <text>(\d{2}):(\d{2}):(\d{2}).(\d{3})</text>
                </define>
        <define name="_format2" extract="year, month, day, hour, minute, second, subsecond">
                 <text>(\d{4})-(\d{2})-(\d{2})\s(\d{1,2}):(\d{2}):(\d{2}),(\d{3})</text>
        </define>
        <timePatterns>
                 <use name="_fromat1"/>
                 <use name="_format2"/>
        </timePatterns>
        <datePatterns>
                 <use name="_fromat1"/>
                 <use name="_format2"/>
        </datePatterns>
</datetime>
0 Karma
Highlighted

Re: Why is Splunk removing timestamps from different events that occurred at the same time?

SplunkTrust
SplunkTrust

The default line breaker should suffice if each of these events are on separate lines with line feeds / carriage returns.

Remove your line breaker.

If that doesnt work... try this

 SHOULD_LINEMERGE = false
 BREAK_ONLY_BEFORE = \d{2}:\d{2}:\d{2}.\d{3}
 TZ = UTC
 DATETIME_CONFIG = /etc/customDatetime.xml
0 Karma