Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Line breaking does not work for events with the same timestamp

jgaraygay
Explorer
‎08-22-2013 11:19 AM

Help please! Our data looks like the one below....

1377190800,ANAQUA_VMs,52940532,987100964550,Normal,0,161792,50,18623,4.29447,3.02706
1377190800,ANAQUA_VMs,ANAQUA_VMs-ETC,P,166810,47232,33,8

And here is our props.conf file. I believe we have tried all possible combinations of lin breaking parameters but none of them seem to work for us...

TIME_PREFIX = ^
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 10
TZ = UTC
#LINE_BREAKER=([\r\n]+)
BREAK_ONLY_BEFORE_DATE = true
#SHOULD_LINEMERGE = false
#MUST_BREAK_AFTER = ([\r\n]+)

Thanks in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jgaraygay
Explorer
‎08-26-2013 06:51 AM

Manually reloading the endpoints (/debug/refresh) did not work so I had to restart the Splunk daemon. I am running Splunk 5.0.3.1 build 167641.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jgaraygay
Explorer
‎08-26-2013 06:51 AM

Manually reloading the endpoints (/debug/refresh) did not work so I had to restart the Splunk daemon. I am running Splunk 5.0.3.1 build 167641.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎08-22-2013 01:35 PM

This does not work?

TIME_PREFIX = ^
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 20
TZ = UTC
SHOULD_LINEMERGE = false

Even though only a plain

SHOULD_LINEMERGE = false

should be enough

Are you sure that you're editing the correct props.conf file. I.e. where the parsing phase takes place;

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/K

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎08-23-2013 12:01 AM

Yes, but the question still remains; Have you configured this on the correct Splunk instance? Depending on your setup, i.e. the chain of splunk instances that may be involved, you line-breaking configs should be on the highlighted instance.

a) file -> Heavy Forwarder-> Indexer
b) file -> Universal Forwarder ->Indexer
c) file -> Universal Forwarder ->Heavy Forwarder-> Indexer
d) file -> Indexer

Any clearer? Revisit the "where do i configure my splunk settings" link above for guidance.

/K

0 Karma
Reply
Solved! Jump to solution

jgaraygay
Explorer
‎08-22-2013 03:57 PM

The ones explicitly defined are coming from "e:\Program Files\Splunk\etc\apps\ko_props_transforms\local\props.conf" and the default ones from "e:\Program Files\Splunk\etc\system\default\props.conf"

0 Karma
Reply
Solved! Jump to solution

jgaraygay
Explorer
‎08-22-2013 03:56 PM

e:ProgramFilesSplunketcappsko_props_transformslocalprops.conf [recoverpoint_stats]
MAX_TIMESTAMP_LOOKAHEAD = 20
REPORT-rp_stats_fields = rp_stats_fields_P, rp_stats_fields_L, rp_stats_fields_R
SHOULD_LINEMERGE = false
TIME_FORMAT = %s
TIME_PREFIX = ^
TZ = UTC

e:\Program Files\Splunk\etc\system\default\props.conf
ANNOTATE_PUNCT = True
BREAK_ONLY_BEFORE = 
BREAK_ONLY_BEFORE_DATE = True
CHARSET = AUTO
DATETIME_CONFIG = \etc\datetime.xml
HEADER_MODE =
0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎08-22-2013 03:36 PM

Btool btool btool!

Run $SPLUNK_HOME/bin/splunk cmd btool props list recoverpoint_stats --debug

This will tell you the app (or if Splunk > 5.0.3, the exact file) that contains the settings which apply for that type. The comment about hiding or showing the REPORT stanza is immaterial here; if there's no other props.conf containing that setting, the one you're editing will take precedence. If you've used the UI to edit the props, those entries are in the local/ subfolder, which contains any override settings. That is, there may be two versions of props.conf, and you're editing the wrong one.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎08-22-2013 02:54 PM

REPORT is search-time though, so if you have a setup with a search head and an indexer you need to put this on the indexer. If you're searching directly on your indexer you've put your configs in the right place though.

0 Karma
Reply
Solved! Jump to solution

jgaraygay
Explorer
‎08-22-2013 02:27 PM

Still didn't work. 

[recoverpoint_stats]
TIME_PREFIX = ^
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 20
TZ = UTC
SHOULD_LINEMERGE = false
REPORT-rp_stats_fields=rp_stats_fields_P, rp_stats_fields_L, rp_stats_fields_R

I believe I have the correct props.conf file because it also has a REPORT setting. And if I comment the #REPORT, I don't get the field extractions.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...