Splunk Search

BREAK_ONLY_BEFORE_DATE catches serial numbers

itghelp
Path Finder

I'm trying to get Splunk to properly break multi-line events from Radiator radius server using BREAK_ONLY_BEFORE_DATE as each event starts with a timestamp. However, other values in lines, values that aren't timestamps, are being detected as timestamps and causing events to be split in the middle. For example, BREAK_ONLY_BEFORE_DATE set to true for this particular sourcetype, Splunk breaks here: (I've changed some digits but the length is the same)

Extreme-AP-Serial = "1000008375080206"

Here's what I want it to see as a timestamp:

Thu Jan 3 12:07:08 2013: DEBUG: Handling request with Handler 'Request-Type=Accounting-Request'

I looked through datetime.xml hoping to get rid of the offending regex and manually specify a new xml specifically for this sourcetype, but I'm not sure that that is the best way to go about this.

Tags (1)
0 Karma
1 Solution

Ayn
Legend

Tell Splunk what time format it should be looking for for this sourcetype using the TIME_FORMAT directive in props.conf.

View solution in original post

stefandagerman
Path Finder

This will hopefully make your life a whole lot easier... http://strftime.net

In your case, you probably need: %A %b %e %T %Y (not tested)

itghelp
Path Finder

It works, sorry I can't also give you credit for an answer. Thanks again.

0 Karma

Ayn
Legend

Tell Splunk what time format it should be looking for for this sourcetype using the TIME_FORMAT directive in props.conf.

View solution in original post

itghelp
Path Finder

Awesome, now I just have to figure out which expression to use for the value of TIME_FORMAT. I put an example in the question if this happens to be second nature to you or someone else.

Thanks.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!