Why are my events not splitting correctly by times...

yqifan83 · ‎12-01-2016

My props.conf has:

TZ=UTC
TRUNCATE = 0
BREAK_ONLY_BEFORE_DATE = true
TIME_FORMAT = %d%b%Y_%H:%M:%S.%3N
MAX_DAYS_HENCE = 5
MAX_TIMESTAMP_LOOKAHEAD = 24
SHOULD_LINEMERGE = true

My events are like this:

01DEC2016_09:28:00.873 INFO [machine] 348 GMT2016-12-01T09:28:00.792Z (78 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 initialize storage: 
{
    "toastPosition": {
        "x": 400,
        "y": 0
    },
    "toastListSize": {
        "width": 600,
        "height": 190
    },
    "toastPageSize": {
        "width": 300,
        "height": 230
    },
    "columnSizes": {
        "selectedColumnWidth": 30,
        "timestampColumnWidth": 70,
        "dealcodeColumnWidth": 65,
        "aliasColumnWidth": 65,
        "firmnameColumnWidth": 200
    },
    "windowId": "5a2bbf703d160d47bdd7af216868aa40",
    "feedSettings": {
        "showFeed": false,
        "feedFilter": 1,
        "feedWeight": 0.3,
        "feedColPosition": 0.32
    },
    "soundSetting": {
        "customSounds": [],
        "postSound": "Default Sound for New Text",
        "toastSound": "Default Sound for New Toast"
    }
}

01DEC2016_09:28:00.876 INFO [machine] 348 GMT2016-12-01T09:28:00.792Z (81 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 start logging on to IBD2 in main with args: 
{}

01DEC2016_09:28:01.689 INFO [machine] 348 GMT2016-12-01T09:28:01.686Z [uuid] 17662753 [firm] 9001 [sn] 290501 "machine type: ucbr: 2 fxibdsrv: 2 fxibdqsc: 2"

01DEC2016_09:28:01.833 INFO [machine] 348 GMT2016-12-01T09:28:01.728Z (102 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 worker signOn Response: 
{
    "machineType": 2,
    "machineTypeFxibdsvc": 2,
    "machineTypeFxibdqsc": 2,
    "fxaxUser": {
        "uuid": 17662753,
        "dealCode": "BGEU",
        "userNum": 16733059,
        "userCustNum": 6618,
        "firstName": "VINCENT VON",
        "lastName": "ROTZ",
        "fullName": "VINCENT VON ROTZ",
        "isDemo": false,
        "isTest": true,
        "isBbg": true,
        "isBba": true
    },
    "fxpvDealingCode": {
        "bankNumber": 31,
        "firmNumber": 9001,
        "primaryIdentifier": 1,
        "secondaryIdentifier": 3,
        "tertiaryIdentifier": 0,
        "quaternaryIdentifier": 0,
        "streamingName": 1010532,
        "optionsName": 1010532,
        "disclaimer": 1015148,
        "streamingLogo": 31100137,
        "optionsLogo": 41941229,
        "dealingCode": "BGEU",
        "companyName": "BLOOMBERG FX LONDON",
        "active": 1,
        "optionsUsesQuoteEngine": false,
        "enfb_id": "521cce1e1b1c0000",
        "rfqUsesQuoteEngine": false,
        "isBbg": true,
        "isTest": true
    },
    "isTradingEnabled": true,
    "isTeamLead": false,
    "isGrabChatEnabled": false,
    "settings": {
        "enable_toast": true,
        "enable_ib_parsing": false,
        "ibd_textflow_input_rows_expand": 3,
        "ibd_textflow_input_rows_collapse": 2,
        "alias": "",
        "font_size": 14,
        "bring_msg_to_front": false,
        "flash_win_toolbar": false,
        "autostart": false,
        "enable_keyboard_navigation": false,
        "show_pending_requests": false,
        "use_bloomberg_name": true,
        "launch_cnf_on_capture": true,
        "launch_cnf_on_end": false,
        "flash_rqst_or_chat": true,
        "auto_expand": false,
        "use_above_below": false,
        "start_ibd_instead_of_ib_from_tickets": false,
        "focus_on_ack": false,
        "use_all_in_as_ref": false,
        "play_sound_until_picked_up": false,
        "play_sound_for_toast": true,
        "play_sound_on_new_text": true,
        "flash_my_rqsts_tab": false,
        "flash_monitored_tab": false
    },
    "isClassic": true,
    "tcnfEnabled": true
}

01DEC2016_09:28:02.473 INFO [machine] 348 GMT2016-12-01T09:28:02.414Z (56 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 sessionInit success. [accountUrn:] urn:fb-ib-bloomberg-net:BGEU:in=f  [sessionId:] d83fed2195cc0006  [identityUrn:] urn:identity-ib-bloomberg-net:1:0:urn%3Afb-ib-bloomberg-net%3ABGEU%3Ain%3Df:uuid%3D17662753

01DEC2016_09:28:02.533 INFO [machine] 348 GMT2016-12-01T09:28:02.477Z (52 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 sessionInit success. [accountUrn:] urn:fb-ib-bloomberg-net:BGEU:in=t  [sessionId:] d83fed2195cc0005  [identityUrn:] urn:identity-ib-bloomberg-net:1:0:urn%3Afb-ib-bloomberg-net%3ABGEU%3Ain%3Dt:uuid%3D17662753

01DEC2016_09:28:02.893 INFO [machine] 348 GMT2016-12-01T09:28:02.820Z (70 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 successfully logged on to IBD2.

01DEC2016_09:28:02.894 INFO [machine] 348 GMT2016-12-01T09:28:02.820Z (70 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 hide IBD for user

01DEC2016_09:28:02.914 INFO [machine] 348 GMT2016-12-01T09:28:02.836Z (75 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 sending fxibdbus subscription: 
{
    "uuid": 17662753,
    "FxEnvironment": 2
}

01DEC2016_09:28:02.914 INFO [machine] 348 GMT2016-12-01T09:28:02.836Z (74 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 fxibdbus eventHandler, eventType: SERVICEOPEN_RESULT

01DEC2016_09:28:02.914 INFO [machine] 348 GMT2016-12-01T09:28:02.836Z (76 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 fxibdbus eventHandler, eventType: CONNECTED

01DEC2016_09:28:04.114 INFO [machine] 348 GMT2016-12-01T09:28:04.014Z (97 ms) [uuid] 17662753 [firm] 9001 [sn] 290501 fxibdbus eventHandler, eventType: SUBSCRIPTION_RESULT

They are presented in Splunk as one event. But I would like to break them by timestamp.
Why has this happened? How to fix this problem?

inventsekar · ‎12-01-2016

Did you try, SHOULD_LINEMERGE = false ?

inventsekar · ‎12-01-2016

Also did you try, without the MAX_DAYS_HENCE ?!?!

Why are my events not splitting correctly by timestamp?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...