Splunk Search

What is the configuration so that the following events show independently in the Splunk search?

cesarbmx
Engager


Could someone help me with the Splunk configuration so that the following events show independently in the Splunk search?

cesarbmx_0-1652281754910.png

 

 

[my_sourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = 
TIME_FORMAT = 

 

 

 

 

Labels (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

On your indexer/heavy forwarder (whichever comes first)

[yourSourceType]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\{\"Event)
MAX_TIMESTAMP_LOOKAHEAD = 33
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7Q%:z
TIME_PREFIX = Timestamp\"\:\"

View solution in original post

somesoni2
Revered Legend

Give this a try

On your indexer/heavy forwarder (whichever comes first)

[yourSourceType]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\{\"Event)
MAX_TIMESTAMP_LOOKAHEAD = 33
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7Q%:z
TIME_PREFIX = Timestamp\"\:\"

richgalloway
SplunkTrust
SplunkTrust

That LINE_BREAKER setting should have worked.  See if this one works any better.

LINE_BREAKER = ()\{"Event

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...