Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is linebreaking not working for Microsoft DHCP failover auto config sync?

joeburris
New Member
‎10-22-2018 10:42 AM

Swinging back around to an issue that has me a bit confused. Microsoft DHCP Failover Auto Config Sync generates logs like the following:

==================================================================================================
Sync process complete at 01/25/2018 17:04:08.

Will automatically sync again when new configuration changes are made.

Sync process complete at 01/25/2018 17:11:16.

Will automatically sync again when new configuration changes are made.

Periodic Sync TimeOut Happened:

Syncing Relation:DHCP1-DHCP2
Sync process complete at 01/25/2018 17:26:17.

I've created a custom source type, shown below:

[dfacs]
TRUNCATE = 999999
LINE_BREAKER = (=+[\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=22
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
TIME_FORMAT=%m/%d/%Y %H:%M:%S
TIME_PREFIX=Sync\sprocess\scomplete\sat\s
TZ=US/Eastern
disabled=false

My main frustration is that, for some reason, it separates the following the 3-line section into 2 events with EVENT1 being given a timestamp ~ 3 seconds before EVENT2 is properly timestamped:

 Periodic Sync TimeOut Happened:
    Syncing Relation:DHCP1-DHCP2
    Sync process complete at 01/22/2018 11:37:02.
--EVENT1--
Periodic Sync TimeOut Happened:
Syncing Relation:DHCP1-DHCP2
--EVENT2--
Sync process complete at 01/22/2018 11:37:02.

Based on the props, I did intend to remove the lines with "="'s. As the 2-line events break fine, any suggestions on how to stop the 3-line events from breaking?

0 Karma
Reply

493669
Super Champion
‎10-22-2018 10:55 AM

can you try SHOULD_LINEMERGE=true in your stanza else try:-

[dfacs]
LINE_BREAKER = (====+)
MAX_TIMESTAMP_LOOKAHEAD=22
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIME_FORMAT=%m/%d/%Y %H:%M:%S
TIME_PREFIX=Sync\sprocess\scomplete\sat\s
TZ=US/Eastern
disabled=false

and after changing props.conf change will affect later indexed events and it will not affect already indexed events.

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...