Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

BREAK_ONLY_BEFORE_DATE=true is not working

mukuru74
New Member
‎09-16-2019 02:45 AM

Here is my log sent from an UF to and Indexer:

2019-09-16 09:37:00 Fetching ISS data
'issfiles/sampleFile.tmp' -> 'issfiles/sampleFile.new'
2019-09-16 09:37:04 Fetch of ISS data completed successfully
2019-09-16 09:37:04 Processing ISS data
Directory: processISS/issfiles
Sucessfully parsed status log file
2019-09-16 09:37:04 Processed ISS data

Here is my props.conf on the indexer:

MAX_TIMESTAMP_LOOKAHEAD=30
BREAK_ONLY_BEFORE_DATE=true
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N
TZ=UTC

I don't understand why the event 'issfiles/sampleFile.tmp' -> 'issfiles/sampleFile.new' is not merged with the previous event 2019-09-16 09:37:00 Fetching ISS data

Here is what I see from search:
alt text

Can anybody help?

Preview file
1 KB
0 Karma
Reply

mukuru74
New Member
‎09-25-2019 07:27 AM

Hi Yorokobi
Between the first line and the arrant line are a carriage return and line feed.

0 Karma
Reply

mukuru74
New Member
‎09-17-2019 02:29 AM

Hi Yorokobi
Thak you for your feedback.
I have tried your suggestion, but it's still not working.
Here is my new props.conf file:
[ptss-dashboardLog]
TIME_FORMAT = %F %T
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}
TZ=UTC
As you can see on the screenshot below, it's still creating a new event for the string "'issfiles/sampleFile.tmp' -> 'issfiles/sampleFile.new'" even though there is no timestamp preceding this event.
alt text

Preview file
1 KB
0 Karma
Reply

Yorokobi
SplunkTrust
SplunkTrust
‎09-23-2019 07:39 AM

Where does that errant line live in the raw data? At the top of the file (line 1)?

0 Karma
Reply

mukuru74
New Member
‎09-16-2019 11:47 PM

Hi have changed the props.con as follow but it's still not working.
TIME_FORMAT = %F %T
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}
TZ=UTC

As you can see, Splunk has created an event for the yellow marked string eventhough there is no date preceding it.
alt text

Preview file
1 KB
0 Karma
Reply

Yorokobi
SplunkTrust
SplunkTrust
‎09-16-2019 04:37 PM

BREAK_ONLY_BEFORE_whatever options should be avoided when a proper LINE_BREAKER entry can be used.

[some_sourcetype]
TIME_FORMAT = %F %T
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}
0 Karma
Reply

mukuru74
New Member
‎09-16-2019 07:43 AM

Thank you for your reply.
But it’s still not working.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-16-2019 06:09 AM

The TIME_FORMAT setting does not match your sample data. Try
TIME_FORMAT = %Y-%m-%d %H:%M:%S

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...