Solved: Re: BREAK_ONLY_BEFORE_DATE catches serial numbers

itghelp · ‎01-03-2013

I'm trying to get Splunk to properly break multi-line events from Radiator radius server using BREAK_ONLY_BEFORE_DATE as each event starts with a timestamp. However, other values in lines, values that aren't timestamps, are being detected as timestamps and causing events to be split in the middle. For example, BREAK_ONLY_BEFORE_DATE set to true for this particular sourcetype, Splunk breaks here: (I've changed some digits but the length is the same)

Extreme-AP-Serial = "1000008375080206"

Here's what I want it to see as a timestamp:

Thu Jan 3 12:07:08 2013: DEBUG: Handling request with Handler 'Request-Type=Accounting-Request'

I looked through datetime.xml hoping to get rid of the offending regex and manually specify a new xml specifically for this sourcetype, but I'm not sure that that is the best way to go about this.

Ayn · ‎01-03-2013

Tell Splunk what time format it should be looking for for this sourcetype using the TIME_FORMAT directive in props.conf.

View solution in original post

stefandagerman · ‎01-03-2013

This will hopefully make your life a whole lot easier... http://strftime.net

In your case, you probably need: %A %b %e %T %Y (not tested)

itghelp · ‎01-04-2013

It works, sorry I can't also give you credit for an answer. Thanks again.

Ayn · ‎01-03-2013

Tell Splunk what time format it should be looking for for this sourcetype using the TIME_FORMAT directive in props.conf.

itghelp · ‎01-03-2013

Awesome, now I just have to figure out which expression to use for the value of TIME_FORMAT. I put an example in the question if this happens to be second nature to you or someone else.

Thanks.

BREAK_ONLY_BEFORE_DATE catches serial numbers

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...