Splunk splitting multi-line log events by date

log-files splunk

Solution 1:

Tell Splunk to break events before a date that comes at the beginning of a line. And it would help to tell Splunk the expected format of timestamps:

LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:S,%3N

Related

Rewriterule not working with Joomla urls due to question mark and other special characters, also due to long urls
Is there an advantage to using discreet ZFS datasets/filesystems in a single zpool?
Google Cloud billed me 1000$
Duplicated local account SIDs after Windows 10 upgrade
OWA error: Exception type: Microsoft.Exchange.Data.Storage.StorageTransientException
Linux bin folder is broken [closed]
Ubuntu 20.04 server install failing from live cd
Scripting VMWare ESXi from a linux server
Mapped Network Drive with SMB1 and Windows 10 [closed]
Is 'Max Cpu' at 100% normal?
change permission of mounted folder in linux
Install multiple instances of a program from .deb file to different locations