- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Time stamp is not being recognized
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The logs below are a sample and splunk seems to deal with them most of the time, occasionally Im seeing the logs merged together and breaking at the --EOR-- point. Recommended settings for props.conf please! Any assistance greatly appreciated, thanks.
2014-03-17T12:27:23.828 SourceName=myweb5551-com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager, EventCode=100, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Thread=com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager ManagerThread
Message=[com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager ManagerThread is running]
--EOR--
2014-03-17T12:27:24.203 SourceName=myweb5551-com.mysite.e3.platform.foundation.core.monitoring.MonitorCounters.Internal, EventCode=101, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Activity_Name=MonitorCounter, Activity_Id=3702d9de-0d8b-4a57-b37a-eb96e925b07e, Originator_Activity_Id=3702d9de-0d8b-4a57-b37a-eb96e925b07e, Thread=MonitorCounter
Message=[Initialized. beanUpdate = 5 sec; logUpdate = 300seconds.]
--EOR--
2014-03-17T12:27:37.344 SourceName=myweb5551-com.mysite.e3.platform.foundation.serialization.jaxbri.JaxbSerializer, EventCode=1000, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Activity_Name=openBeanFactory, Activity_Id=5f2ab137-c55f-4b97-ad09-d5fc25aea897, s.search.defn.v4:com.mysite.s3.cars.messages.getchangedetail.defn.v1:com.mysite.s3.cars.messages.location.search.defn.v1 in 11024 millis.]
--EOR--
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BREAK_ONLY_BEFORE=\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}
SHOULD_LINEMERGE=true
This should break the event before the next timestamp, which is effectively at the after the --EOR-- mark. Your event will thus run from the timestamp up to (and including) the --EOR--.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[source::.../mylogs/*.log]
BREAK_ONLY_BEFORE_DATE = true
should work. You need not add anything, check and let us know
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BREAK_ONLY_BEFORE=\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}
SHOULD_LINEMERGE=true
This should break the event before the next timestamp, which is effectively at the after the --EOR-- mark. Your event will thus run from the timestamp up to (and including) the --EOR--.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks great thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The end of each event is the --EOR-- The start is the date time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where do you want it to break?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
