Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

BREAK_ONLY_BEFORE failing for date extraction

muguniya
Explorer
‎04-23-2014 07:47 AM

Hi Team,

We have configured props.conf file in indexer to break events before date in specific format (yyyy-mm-dd hh:mm:ss,ms), but its not working.

props.conf settings:
[sourcetype]
BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d
SHOULD_LINEMERGE = true

Sample Events in Log4j File:

Cookie Value##Wed Apr 23 21:02:31 EDT 2014

2014-04-23 10:11:44,000 DEBUG 143.171.102.228 WebContainer : 15- Getting value of source system for first time user.

Cookie Value##Wed Apr 23 21:01:00 EDT 2014

Since ##Cookie Value## contains feature date time stamp we dont want to break events based on Cookie Value. Please let us know how to break events only the event starts with yyyy-mm-dd hh:mm:ss,ms.

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-23-2014 10:39 AM

Try this in you props.conf (under your sourcetype)

[YourSourcetype]
BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3Q

----------------------Update------

This seems to work with my sample data (including events with just below, takes time from event itself)
Cookie Value##Wed Apr 23 23:01:00 EDT 2014.

[YourSourcetype]
BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3Q
pulldown_type = 1

View solution in original post

Reply
Solved! Jump to solution

linu1988
Champion
‎04-23-2014 11:28 AM

Please try this. The problem you are having is there are two timestamps where splunk is able to get the time for the event and trying to break into events

BREAK_ONLY_BEFORE_DATE=true
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_FORMAT=%Y-%m-%d %H:%M:%S,3%q

Thanks

0 Karma
Reply
Solved! Jump to solution

muguniya
Explorer
‎04-24-2014 12:42 PM

Yes, your are right, its not taking Cookie TimeStamp. We have analyzed the event and planning to add date time before ##Cookie....Thank you so much for the solution provided.

0 Karma
Reply
Solved! Jump to solution

muguniya
Explorer
‎04-24-2014 12:41 PM

Yes, your are right, its not taking Cookie TimeStamp. We are analyzed the event and plannign to add date time before ##Cookie....

Thank you so much for the solution provided.

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-24-2014 11:53 AM

is it taking the cookie timestamp? It shouldn't because it's told not to read that time format!!!

0 Karma
Reply
Solved! Jump to solution

muguniya
Explorer
‎04-23-2014 01:38 PM

Above suggestion works when we received events as follows

2014-04-23 10:11:44,000 DEBUG 143.171.102.228 WebContainer : 15- Getting value of source system for first time user.
Cookie Value##Wed Apr 23 21:01:00 EDT 2014

it fails when we receive only below event, we dont want this event populated with future time stamp in splunk
Cookie Value##Wed Apr 23 23:01:00 EDT 2014.

Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-23-2014 10:39 AM

Try this in you props.conf (under your sourcetype)

[YourSourcetype]
BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3Q

----------------------Update------

This seems to work with my sample data (including events with just below, takes time from event itself)
Cookie Value##Wed Apr 23 23:01:00 EDT 2014.

[YourSourcetype]
BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3Q
pulldown_type = 1
Reply
Solved! Jump to solution

linu1988
Champion
‎04-23-2014 11:14 AM

Do you event like this in splunk?

2014-04-23 10:11:44,000 DEBUG 143.171.102.228 WebContainer : 15- Getting value of source system for first time user.
Cookie Value##Wed Apr 23 21:01:00 EDT 2014

?

0 Karma
Reply
Solved! Jump to solution

muguniya
Explorer
‎04-23-2014 10:39 AM

BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d

back slash is being discarded so updated the string again

0 Karma
Reply
Solved! Jump to solution

muguniya
Explorer
‎04-23-2014 10:39 AM

We have used BREAK_ONLY_BEFORE as shown below.

BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d

0 Karma
Reply
Solved! Jump to solution

muguniya
Explorer
‎04-23-2014 08:50 AM

Hi,

No luck, still event is getting break when we receive event ##Cookie Value##Wed Apr 23 20:41:00 EDT.

props.conf settings with above suggestion:
[sourcetype]
BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
maxDist = 75
pulldown_type = 1

Is there any way we can look for date in specific format and break the event when matched?

Thanks

0 Karma
Reply
Solved! Jump to solution

muguniya
Explorer
‎04-23-2014 11:25 AM

We have tried above said settings, its not working when we received an event like ##Cookie Value##Wed Apr 23 21:01:00 EDT 2014. Splunk treats this as a sperate event.

Please let us know for more information.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-23-2014 08:07 AM

Try this
BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...