Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: line break couldn't work - HELP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
line break couldn't work - HELP
For below list of data stored in a files, the first line is the fields name and exact data is started on 2nd line.
However, after indexed, it merged to a single events instead of multiple events.
How could the events break down into multiple events? Thanks.
"Number" "Date" "Time" "Interface" "Origin" "Type" "Action" "Service" "Source Port" "Source" "Destination" "Protocol" "Rule" "Rule Name" "Current Rule Number" "User" "Information" "Product" "Source Machine Name" "Source User Name"
"2495" "5Nov2013" "0:00:10" "Internal" "uabcabc" "Log" "Drop" "microsoft-ds" "1164" "123.123.123.123" "www.abcabc.com" "tcp" "52" "" "" "" "" "VPN-1 Power/UTM" "" ""
"2523" "5Nov2013" "0:00:13" "Internal" "uabcabc" "Log" "Drop" "http" "50895" "123.123.123.123" "www.abcabc.com" "tcp" "14" "" "" "" "" "IPS Software Blade" "" ""
"2524" "5Nov2013" "0:00:13" "Internal" "uabcabc" "Log" "Drop" "http" "50898" "123.123.123.123" "www.abcabc.com" "tcp" "14" "" "" "" "" "IPS Software Blade" "" ""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check splunkd.log to see what it has to say about the time extraction. The timestamp processor is usually pretty good about letting you know of any errors.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tried this props.conf, but didn't work 😞
Any hints?
props.conf
TIME_PREFIX = "\d*"\s"
MAX_TIMESTAMP_LOOKAHEAD = 21
TIME_FORMAT = %d%b%Y" "%H:%M:%S
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This happens when Splunk doesn't find a valid timestamp in the message - by default Splunk will break into a new event when it finds a new line with a valid timestamp on it. You need to tell Splunk how to identify the timestamp by setting a valid TIME_FORMAT string. See more info here: http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
