Getting Data In

Why is Splunk removing timestamps from different events that occurred at the same time?

abinesh
New Member

Hi,

The events displayed in Splunk Web seems to miss the Timestamp on events that have the same timestamp.
Please see the data below for details.

For example:
In my log file I can see 3 entries as follows:

18:24:21.809 582   Event1 - Logging Event 1
18:24:21.809 582   Event2 - Logging Event 2
18:24:21.809 582   Event3 - Logging Event 3

But in Splunk Web I see the following:

Event3 - Logging Event 3
Event2 - Logging Event 2
18:24:21.809 582   Event1 - Logging Event 1

It does seem like its stripping off the timestamps on events.

Can you please let me know how to fix this?

Props.conf:

SHOULD_LINEMERGE = false
LINE_BREAKER = (([\r\n]+)(\d{2}:\d{2}:\d{2}.\d{3})) | (([\r\n]+)(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}))
TZ = UTC
DATETIME_CONFIG = /etc/customDatetime.xml

customDatetime.xml

<datetime>
        <define name="_fromat1" extract="hour, minute, second, subsecond">
                <text>(\d{2}):(\d{2}):(\d{2}).(\d{3})</text>
                </define>
        <define name="_format2" extract="year, month, day, hour, minute, second, subsecond">
                 <text>(\d{4})-(\d{2})-(\d{2})\s(\d{1,2}):(\d{2}):(\d{2}),(\d{3})</text>
        </define>
        <timePatterns>
                 <use name="_fromat1"/>
                 <use name="_format2"/>
        </timePatterns>
        <datePatterns>
                 <use name="_fromat1"/>
                 <use name="_format2"/>
        </datePatterns>
</datetime>
0 Karma

jkat54
SplunkTrust
SplunkTrust

The default line breaker should suffice if each of these events are on separate lines with line feeds / carriage returns.

Remove your line breaker.

If that doesnt work... try this

 SHOULD_LINEMERGE = false
 BREAK_ONLY_BEFORE = \d{2}:\d{2}:\d{2}.\d{3}
 TZ = UTC
 DATETIME_CONFIG = /etc/customDatetime.xml
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...