Splunk Search

Parsing not working as expected

a508184
Explorer

New to splunk, need your help.

Data:

4/5/2022 9:02 PM | Audit | hi user | something.MoveFiles | Copied File from C:\hello.txt to server/something.txt 4/5/2022 9:02 AM | Audit | hi user | something.MoveFiles | Copied File from D:\reportsSuccess\_CMS.txt to \\server_CMS.txt 12/15/2022 10:02 PM | Audit | hi user | something.MoveFiles | Copied File from D:\reportsSuccess\_CMS.txt to \\server_CMS.txt 4/4/2022 5:00 AM | Audit | hi user | FileSplitter.ProcessFiles | Started Processing : ID 4/4/2022 5:00 AM | Audit | hi user | FileSplitter.ProcessFiles | Started Processing 4/4/2022 5:00 AM | Audit | hi user | FileReader.FileReader | FileReader for D:\reportsInput\tsst.TXT initilized 4/4/2022 5:00 AM | Audit | hi user | something.something. 11/4/2022 5:00 AM | Audit | hi user | something.something. 10/4/2021 5:00 AM | Audit | hi user | something.something.

a508184_0-1649213303857.png

 

12/15/2022 is taking as 2/15/22. Below is the props.conf am using it.

 

SHOULD_LINEMERGE=true
LINE_BREAKER=([/r/n]*)[0-9]+\/[0-9]+\/\d{4}\s[0-9]+:[0-9]+\s[P|A]M
TZ=EST
TIME_PREFIX =^
BREAK_ONLY_BEFORE=[0-9]+\/[0-9]+\/\d{4}\s[0-9]+:[0-9]+\s[P|A]M


Can you please help me to get the correct parsing?  Thanks in advance.

 

 

Labels (2)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

Using SHOULD_LINEMERGE=true is performance ineffective. Use the below configuration.

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\s\n\r]+)[0-9]+\/[0-9]+\/\d{4}\s[0-9]+:[0-9]+\s[P|A]M\s+
TZ = EST
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %I:%M %p
MAX_TIMESTAMP_LOOKAHEAD = 25

 

By the looks of it from the data you pasted, it is not necessary to have all the events in a new line. But if that is the case (each event in a new line) then updating the LINE_BREAKER below will improve performance and reduce the chances of incorrect line-breaking.

([\n\r]+)[0-9]+\/[0-9]+\/\d{4}\s[0-9]+:[0-9]+\s[P|A]M\s+

 

I hope this helps!!!

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

Using SHOULD_LINEMERGE=true is performance ineffective. Use the below configuration.

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\s\n\r]+)[0-9]+\/[0-9]+\/\d{4}\s[0-9]+:[0-9]+\s[P|A]M\s+
TZ = EST
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %I:%M %p
MAX_TIMESTAMP_LOOKAHEAD = 25

 

By the looks of it from the data you pasted, it is not necessary to have all the events in a new line. But if that is the case (each event in a new line) then updating the LINE_BREAKER below will improve performance and reduce the chances of incorrect line-breaking.

([\n\r]+)[0-9]+\/[0-9]+\/\d{4}\s[0-9]+:[0-9]+\s[P|A]M\s+

 

I hope this helps!!!

venkatasri
SplunkTrust
SplunkTrust

Your TIME_PREFIX = ^ that means starting of the event, what you have highlighted is not being considered as _time for that reason.

When you set TIME_PREFIX alone, starting of the event is 4/5/2022 9:02 PM assuming line_breaking is fine.

you should look at TIME_FORMAT and set the TIME_PREFIX correctly for the timestamp you want to consider for _time.

The screenshot and events pasted looks completely different.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...