Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is linebreaking not working for Microsoft DHCP failover auto config sync?

joeburris
New Member
‎10-22-2018 10:42 AM

Swinging back around to an issue that has me a bit confused. Microsoft DHCP Failover Auto Config Sync generates logs like the following:

==================================================================================================
Sync process complete at 01/25/2018 17:04:08.

Will automatically sync again when new configuration changes are made.

Sync process complete at 01/25/2018 17:11:16.

Will automatically sync again when new configuration changes are made.

Periodic Sync TimeOut Happened:

Syncing Relation:DHCP1-DHCP2
Sync process complete at 01/25/2018 17:26:17.

I've created a custom source type, shown below:

[dfacs]
TRUNCATE = 999999
LINE_BREAKER = (=+[\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=22
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
TIME_FORMAT=%m/%d/%Y %H:%M:%S
TIME_PREFIX=Sync\sprocess\scomplete\sat\s
TZ=US/Eastern
disabled=false

My main frustration is that, for some reason, it separates the following the 3-line section into 2 events with EVENT1 being given a timestamp ~ 3 seconds before EVENT2 is properly timestamped:

 Periodic Sync TimeOut Happened:
    Syncing Relation:DHCP1-DHCP2
    Sync process complete at 01/22/2018 11:37:02.
--EVENT1--
Periodic Sync TimeOut Happened:
Syncing Relation:DHCP1-DHCP2
--EVENT2--
Sync process complete at 01/22/2018 11:37:02.

Based on the props, I did intend to remove the lines with "="'s. As the 2-line events break fine, any suggestions on how to stop the 3-line events from breaking?

0 Karma
Reply

493669
Super Champion
‎10-22-2018 10:55 AM

can you try SHOULD_LINEMERGE=true in your stanza else try:-

[dfacs]
LINE_BREAKER = (====+)
MAX_TIMESTAMP_LOOKAHEAD=22
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIME_FORMAT=%m/%d/%Y %H:%M:%S
TIME_PREFIX=Sync\sprocess\scomplete\sat\s
TZ=US/Eastern
disabled=false

and after changing props.conf change will affect later indexed events and it will not affect already indexed events.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...