Splunk Search

line break couldn't work - HELP

rossikwan
Path Finder

For below list of data stored in a files, the first line is the fields name and exact data is started on 2nd line.

However, after indexed, it merged to a single events instead of multiple events.

How could the events break down into multiple events? Thanks.

"Number" "Date" "Time" "Interface" "Origin" "Type" "Action" "Service" "Source Port" "Source" "Destination" "Protocol" "Rule" "Rule Name" "Current Rule Number" "User" "Information" "Product" "Source Machine Name" "Source User Name"
"2495" "5Nov2013" "0:00:10" "Internal" "uabcabc" "Log" "Drop" "microsoft-ds" "1164" "123.123.123.123" "www.abcabc.com" "tcp" "52" "" "" "" "" "VPN-1 Power/UTM" "" ""
"2523" "5Nov2013" "0:00:13" "Internal" "uabcabc" "Log" "Drop" "http" "50895" "123.123.123.123" "www.abcabc.com" "tcp" "14" "" "" "" "" "IPS Software Blade" "" ""
"2524" "5Nov2013" "0:00:13" "Internal" "uabcabc" "Log" "Drop" "http" "50898" "123.123.123.123" "www.abcabc.com" "tcp" "14" "" "" "" "" "IPS Software Blade" "" ""

Tags (2)
0 Karma

Ayn
Legend

Check splunkd.log to see what it has to say about the time extraction. The timestamp processor is usually pretty good about letting you know of any errors.

0 Karma

rossikwan
Path Finder

tried this props.conf, but didn't work 😞
Any hints?

props.conf
TIME_PREFIX = "\d*"\s"
MAX_TIMESTAMP_LOOKAHEAD = 21
TIME_FORMAT = %d%b%Y" "%H:%M:%S

0 Karma

Ayn
Legend

This happens when Splunk doesn't find a valid timestamp in the message - by default Splunk will break into a new event when it finds a new line with a valid timestamp on it. You need to tell Splunk how to identify the timestamp by setting a valid TIME_FORMAT string. See more info here: http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...