Splunk HEC - Disable multiline event splitting due to timestamp

Question

I have a multi-line event that has timestamps on different lines as shown in the below example

[2022-02-08 08:30:23:776] [INFO] [com.example.monitoring.ServiceMonitor] Status report for services
Service 1 - Available
Service 2 - Unavailable since 2022-02-08T07:00:00 UTC
Service 3 - Available

When the log is sent to an HEC, the lines are split into multiple events as highlighted in the Splunk data pipeline's parsing phase. Due to the presence of a timestamp on line 3, it creates 2 different events.

When searching in Splunk, I see the two events as shown below while they are supposed to be part of a single event.

Event 1

[2022-02-08 08:30:23:776] [INFO] [com.example.monitoring.ServiceMonitor] Status report for services
Service 1 - Available

Event 2

Service 2 - Unavailable since 2022-02-08T07:00:00 UTC
Service 3 - Available

I can solve the issue by setting DATETIME_CONFIG to NONE in props.conf but that creates another issue, Splunk will stop recognizing timestamps in the event.

Is it possible to achieve the same result but without disabling the above property?

Answer 1

The trick is to set TIME_PREFIX correctly:

https://ibb.co/PCG5TqY

This will only look for timestamps in lines starting with a "[".

Here is the entry for props.conf:

[changeme]
disabled = false
pulldown_type = true
category = Custom
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
TIME_PREFIX = ^\[
TIME_FORMAT = %Y-%m-%d %H:%M:%S:%3N
SHOULD_LINEMERGE = true