Hi All
I tried a solution suggested online for a similar issue, but it didn't fix the problem
The below extract from the log is a single event
2019-03-26 12:03:28.753 +0000 INFO [zzz] [yyy] [] [] [rrId:] [] Message
----------------------------
ID: 7
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=utf-8
Headers: {Connection=[close], Content-Type=[text/xml;charset=utf-8], Date=[Tue, 26 Mar 2019 12:03:28 GMT],
Show less
but it results like this
2019-03-26 12:03:28.753 +0000 INFO [zzz] [yyy] [] [] [rrId:] [] Message
----------------------------
ID: 7
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=utf-8
In 2 lines
Headers: {Connection=[close], Content-Type=[text/xml;charset=utf-8], Date=[Tue, 26 Mar 2019 12:03:28 GMT],
Show less
We have a cluster environment so I updated the props here - opt/splunk/etc/master-apps/_cluster/local/props.conf with the below
[log4j]
MAX_TIMESTAMP_LOOKAHEAD = 19
I pushed the change to the peers and restarted all the indexers
Any thoughts to fix this issue please?
Thanks
... View more