Solved: Re: What is the configuration so that the followin...

cesarbmx · ‎05-11-2022

Could someone help me with the Splunk configuration so that the following events show independently in the Splunk search?

[my_sourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = 
TIME_FORMAT =

somesoni2 · ‎05-11-2022

Give this a try

On your indexer/heavy forwarder (whichever comes first)

[yourSourceType]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\{\"Event)
MAX_TIMESTAMP_LOOKAHEAD = 33
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7Q%:z
TIME_PREFIX = Timestamp\"\:\"

View solution in original post

somesoni2 · ‎05-11-2022

Give this a try

On your indexer/heavy forwarder (whichever comes first)

[yourSourceType]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\{\"Event)
MAX_TIMESTAMP_LOOKAHEAD = 33
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7Q%:z
TIME_PREFIX = Timestamp\"\:\"

richgalloway · ‎05-11-2022

That LINE_BREAKER setting should have worked. See if this one works any better.

LINE_BREAKER = ()\{"Event

---
If this reply helps you, Karma would be appreciated.

What is the configuration so that the following events show independently in the Splunk search?

lookup

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?