Hi,
The events displayed in Splunk Web seems to miss the Timestamp on events that have the same timestamp.
Please see the data below for details.
For example:
In my log file I can see 3 entries as follows:
18:24:21.809 582 Event1 - Logging Event 1
18:24:21.809 582 Event2 - Logging Event 2
18:24:21.809 582 Event3 - Logging Event 3
But in Splunk Web I see the following:
Event3 - Logging Event 3
Event2 - Logging Event 2
18:24:21.809 582 Event1 - Logging Event 1
It does seem like its stripping off the timestamps on events.
Can you please let me know how to fix this?
Props.conf:
SHOULD_LINEMERGE = false
LINE_BREAKER = (([\r\n]+)(\d{2}:\d{2}:\d{2}.\d{3})) | (([\r\n]+)(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}))
TZ = UTC
DATETIME_CONFIG = /etc/customDatetime.xml
customDatetime.xml
<datetime>
<define name="_fromat1" extract="hour, minute, second, subsecond">
<text>(\d{2}):(\d{2}):(\d{2}).(\d{3})</text>
</define>
<define name="_format2" extract="year, month, day, hour, minute, second, subsecond">
<text>(\d{4})-(\d{2})-(\d{2})\s(\d{1,2}):(\d{2}):(\d{2}),(\d{3})</text>
</define>
<timePatterns>
<use name="_fromat1"/>
<use name="_format2"/>
</timePatterns>
<datePatterns>
<use name="_fromat1"/>
<use name="_format2"/>
</datePatterns>
</datetime>
The default line breaker should suffice if each of these events are on separate lines with line feeds / carriage returns.
Remove your line breaker.
If that doesnt work... try this
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = \d{2}:\d{2}:\d{2}.\d{3}
TZ = UTC
DATETIME_CONFIG = /etc/customDatetime.xml