Databases Reference
In-Depth Information
°
TRUNCATE = 1024
: If you are certain you only care about the first
n
characters of an event, you can instruct Splunk to truncate each line.
What is considered a line can be changed with the next attribute.
°
LINE_BREAKER = ([\r\n]+)(?=\d{4}-\d\d-\d\d)
: The most
efficient approach to multiline events is to redefine what Splunk
considers a line. This example says that a line is broken on any
number of newlines followed by a date of the form
1111-11-11
.
The big disadvantage to this approach is that, if your log changes,
you will end up with garbage in your index until you update your
configuration. Try the
props helper
app available at Splunkbase for
help making this kind of configuration.
• Where is the date? If there is no date, see
DATETIME_CONFIG
further down
this bullet list. The relevant attributes are:
°
TIME_PREFIX = ^\[
: By default, dates are assumed to fall at the
beginning of the line. If this is not true, give Splunk some help and
move the cursor past the characters preceding the date. This pattern
is applied to each line, so if you have redefined
LINE_BREAKER
correctly, you can be sure only the beginnings of actual multiline
events are being tested.
°
MAX_TIMESTAMP_LOOKAHEAD = 30
:
Even if you change no other setting,
you should change this one
. This setting says how far after
TIME_
PREFIX
to test for dates. With no help, Splunk will take the first
150 characters of each line and then test regular expressions to find
anything that looks like a date. The default regular expressions are
pretty lax, so what it finds may look more like a date than the actual
date. If you know your date is never more than
n
characters long, set
this value to
n
or
n+2
. Remember that the characters retrieved come
after
TIME_PREFIX
.
• What does the date look like? These attributes will be of assistance here:
°
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %:z
: If this attribute is
specified, Splunk will apply
strptime
to the characters immediately
following
TIME_PREFIX
. If this matches, then you're done. This is by
far the most efficient and least error-prone approach. Without this
attribute, Splunk actually applies a series of regular expressions until
it finds something that looks like a date.
Search WWH ::
Custom Search