I get some data (TCP syslog) from a Juniper VPN server. Unfortunately they are incorrectly parsed by splunk because some data is prepended before the timestamp. A sample of the data (this is all in one block) is below, I have replaced by INFOINFOINFO the actual data from systlog (which varies):
After some more checks I see that:
- a single line starting with "Juniper:" is indexed properly (the Juniper: prefix is not removed, though. But the indexed times are OK)
- when several lines are concatenated they are not broken into single ones (all start with Juniper:)
Thank you - I added [source::tcp:25890]
TIME_PREFIX = Juniper:
(two lines) to /opt/splunk/etc/system/local/props.conf but I still get the same chunks (I tested this by sending the sting in my question via netcat splunk.example.com 25890). Is there a way to debug or would you see another place I should add something?