Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Event not showing full log entry.. newline issue?

clamendola
New Member
‎12-17-2017 08:35 AM

For some reason Splunk is indexing one of my log files a bit oddly. In the following excerpt, the Splunk event is only displaying up to the Patch Description line. The previous 20 lines of the log are being indexed without a problem, and I can not figure out why it's stopping here. If I move the "Created..." line to the same line as "Patch Description.. ", I see Created, but then the next line is cutoff. I tried re-entering the newline in between the strings, but that didn't make a difference.. It has to be a newline issue since moving it onto the same line indexes, but I can not for the life of me figure out why splunk is treating some newlines different than others..

Anyone have any insight on this?

Unique Patch ID: 198774662
Patch description: "One-off"
Created on 9 May2016, 00:43:09 hrs UTC
Bugs fixed:

Tags (1)
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎12-17-2017 10:57 AM

It is probably because the line after the Patch Description has a date. If you haven't defined how the line breaking is done, Splunk likes to use the line with the date as the first line of an event. I would suggest putting the line breaker information in the props.conf file.

0 Karma
Reply

clamendola
New Member
‎12-17-2017 11:25 AM

Hm.. That would make sense. Is there any way to escape the dates in the log file so that splunk doesn't read them as new entries? I can change how the log is written, but the dates are necessary.

I'm trying to avoid adding anything to the props.conf file as I don't want any global changes affecting how the other logs on these servers are being indexed.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎12-17-2017 01:56 PM

There isn't a way to make it avoid looking at the date for the line breaker that I know of without specifying it in the props.conf file. And since we are on that subject, the sourcetype is what you tie the props.conf definition to for the line break (it's not global), so it should not affect other data coming in. Use something like:

[your_source_type]
BREAK_ONLY_BEFORE=^Unique Patch ID:
DATE_FORMAT=<yourdateformathere>
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...