Getting Data In

Line breaking two different time prefixes

atat23
Path Finder

Think I may have tried everything in props at this stage, Splunk does not seem to be paying much attention to anything I change though as the linebreaking was working to a degree and is now questionable.

The main issue is the log file is a bit of a mess, it contains various forms of xml and also normal looking events.

This is my default that is needed to detect the difference between the day and month (otherwise 07/10 is picked up as 10/07):

[messy_log]
TIME_FORMAT=%d/%m/%Y %H:%M:%S,%3N
TIME_PREFIX=(^\s)|(^.{8}\s)
MAX_TIMESTAMP_LOOKAHEAD=35
NO_BINARY_CHECK=true
# 07/10/2015 15:21:07,413 INFO
# BLAAH771 18/08/2015 14:59:40,052

The default BREAK_ONLY_BEFORE_DATE = True is being applied (confirmed via btools)

I have also tried things with the various Break before/don't break before/break after settings:

BREAK_ONLY_BEFORE = \s\d\d\/\d\d\/\d\d\d\d\s\d\d\:\d\d\:\d\d\,\d\d\d\s

Still not cooperating.

In a Splunk search, there are some single lines being broken into single line events, but others that look like this:

 09/10/2015 16:49:15,502 INFO  host.log  - <Request>snipped</Request>
<Response>snipped</Response></channel_log_entry>
 09/10/2015 16:49:16,343 INFO  host.log  - <Request>snipped</Request>
<Response>snipped</Response></channel_log_entry>
 09/10/2015 16:49:16,388 INFO  host.log  - <Request>snipped</Request>
<Response>snipped</Response></channel_log_entry>
BLAAH678 09/10/2015 16:49:16,508 INFO  host.log - blahblahblahyakkitysmakkity
BLEEH876 09/10/2015 17:08:10,445 INFO  host.log - user has logged off

Above is a single event seen in Splunk, 5 separate events being caught as one. The xml request and responses are on different lines which may be complicating things further and possibly the space between the start of the event and the timestamp in some events.

To make it more interesting, if I try and put the data through the data preview/sourcetype builder in "Data Inputs" with the same settings as the above props, everything is picked up perfectly.

0 Karma

atat23
Path Finder

@somsoni2: have tried the below and it looks like it's basically just changed the groupings on the events, the events are being broken more often but I still see the odd event like this, where the linebreaking is just being ignored:

12/10/2015 12:33:18,779 INFO  fileupload  - sessionDestroyedListener running for USER04
12/10/2015 12:33:18,785 INFO  fileupload  - null has got session timeout page

@rphillips: The setup is basically a two node cluster on Splunk 6.2.5, _cluster/local/props.conf is updated in master-apps, I then use the GUI to distribute the bundle to the cluster peers, make sure the slave-apps has been updated on the indexer and check to see if the linebreaking is applied.
Have also tried the regex you provided and the linebreaking show no change to somesoni's.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

THis worked fine for me (Indexer/Heavy forwarder props.conf)

[messy_log]
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=^(\w+\s*\d{2}\/\d{2}\/\d{4}\s+\d{2}\:\d{2}\:\d{2}\,\d{3}|\d{2}\/\d{2}\/\d{4}\s+\d{2}\:\d{2}\:\d{2}\,\d{3})
TIME_FORMAT=%d/%m/%Y %H:%M:%S,%3
MAX_TIMESTAMP_LOOKAHEAD=25

rphillips_splk
Splunk Employee
Splunk Employee

props.conf on all indexers (or if you have a heavy forwarder in front of indexer, this needs to go in props.conf on the HF not the idx)
[messy_log]

SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TIME_FORMAT=%d/%m/%Y %H:%M:%S,%3
MAX_TIMESTAMP_LOOKAHEAD=35
BREAK_ONLY_BEFORE=\d{2}\/\d{2}\/\d{4}\s+\d{2}\:\d{2}\:\d{2}\,\d{3}
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...