Getting Data In

Time stamp is not being recognized

smudge797
Path Finder

The logs below are a sample and splunk seems to deal with them most of the time, occasionally Im seeing the logs merged together and breaking at the --EOR-- point. Recommended settings for props.conf please! Any assistance greatly appreciated, thanks.

2014-03-17T12:27:23.828 SourceName=myweb5551-com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager, EventCode=100, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Thread=com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager ManagerThread
Message=[com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager ManagerThread is running]
--EOR--
2014-03-17T12:27:24.203 SourceName=myweb5551-com.mysite.e3.platform.foundation.core.monitoring.MonitorCounters.Internal, EventCode=101, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Activity_Name=MonitorCounter, Activity_Id=3702d9de-0d8b-4a57-b37a-eb96e925b07e, Originator_Activity_Id=3702d9de-0d8b-4a57-b37a-eb96e925b07e, Thread=MonitorCounter
Message=[Initialized. beanUpdate = 5 sec; logUpdate = 300seconds.]
--EOR--
2014-03-17T12:27:37.344 SourceName=myweb5551-com.mysite.e3.platform.foundation.serialization.jaxbri.JaxbSerializer, EventCode=1000, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Activity_Name=openBeanFactory, Activity_Id=5f2ab137-c55f-4b97-ad09-d5fc25aea897, s.search.defn.v4:com.mysite.s3.cars.messages.getchangedetail.defn.v1:com.mysite.s3.cars.messages.location.search.defn.v1 in 11024 millis.]
--EOR--

Tags (2)
0 Karma
1 Solution

lcrielaa
Communicator
BREAK_ONLY_BEFORE=\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}
SHOULD_LINEMERGE=true

This should break the event before the next timestamp, which is effectively at the after the --EOR-- mark. Your event will thus run from the timestamp up to (and including) the --EOR--.

View solution in original post

0 Karma

linu1988
Champion

[source::.../mylogs/*.log]
BREAK_ONLY_BEFORE_DATE = true

should work. You need not add anything, check and let us know

0 Karma

lcrielaa
Communicator
BREAK_ONLY_BEFORE=\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}
SHOULD_LINEMERGE=true

This should break the event before the next timestamp, which is effectively at the after the --EOR-- mark. Your event will thus run from the timestamp up to (and including) the --EOR--.

0 Karma

smudge797
Path Finder

Looks great thanks!

0 Karma

smudge797
Path Finder

The end of each event is the --EOR-- The start is the date time

0 Karma

linu1988
Champion

where do you want it to break?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...