Using the following time format from props.conf included with Splunk MySQL TA;
TIME_FORMAT = %y%m%d %H:%M:%S
Used to split the following log format by timestamp;
150803 7:27:03 102983 Connect drupal@foo.com on bar
102983 Query select @@version_comment limit 1
102983 Query SELECT whatever from whatever
102983 Quit
Creates an event for 08/03/15 7:27:03 correctly. However, when an event in this log is truncated like so:
102983 Query select @@version_comment limit 1
102983 Query SELECT whatever from whatever
102983 Quit
Splunk reads the event ID as the timestamp instead as 10/29/2015 8:42:02 and groups the next 150+ lines including other events that should be split by timestamp.
Is there a way to account for these truncated log entries? The MySQL host in question is using all default settings.
↧