I am trying to set timestamp for the event :
========
Sat Mar 19 16:33:08 2022 -05:00
LENGTH : '228'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
=========
The rules I used are:
TIME_FORMAT = %a %b %d %H:%M:%S %Y %:z
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 32
It is catching the timestamp correctly. However showing the error "could not use strptime to parse timestamp from LENGTH : '228' "
I am not sure how to resolve the error.
Thank you. These are the sample lines:
========
Sat Mar 19 16:33:08 2022 -05:00 LENGTH : '228' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/1' STATUS:[1] '0' DBID:[0] '' SESSIONID:[0] '' USERHOST:[0] '' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100' Audit file /u01/app/oracle/product/19.3.0/dbhome_1/rdbms/audit/lllprd1_ora_44388_20220319163308485740872483.aud Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.14.0.0.0
Sat Mar 19 15:25:42 2022 -05:00 LENGTH : '228' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/1' STATUS:[1] '0' DBID:[0] '' SESSIONID:[0] '' USERHOST:[0] '' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100' Audit file /u01/app/oracle/product/19.3.0/dbhome_1/rdbms/audit/lllprd1_ora_4908_20220319152542116439456508.aud Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
==============
Have you set the following attributes properly? It seems an issue with the line-breaking or line-merging because Splunk is also trying to parse the timestamp on the second line as well.
Yes. I have applied the below 2 rules:
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = true
Line breaking is proper. Not sure it is showing the error
If SHOULD_LINEMERGE=true then you have specified when to break the event.
I would suggest using SHOULD_LINEMERGE=false and updating the LINE_BREAKER accordingly. (Gives better performance and hopefully resolves your error too.)
Please provide two-three sample events as they are in the file and I can help you write the LINE_BREAKER.
It seems you have a single line event, use SHOULD_LINEMERGE=false then along with your current configuration.