Hi,
My log file is like this:
[#|2019-01-31 11:04:34,712 | ERROR | some data
Logging important message |#]
In my props.conf(SplunkUniversalForwarder\etc\system\default), I have tried the following options:
[source::...\\data\\log\\*.log]
sourcetype = appcustom
[appcustom]
**Option 1**
BREAK_ONLY_BEFORE =|#]
SHOULD_LINEMERGE =true
**Option 2**
SHOULD_LINEMERGE =false
LINE_BREAKER=([\r\n]+)(|#])([\r\n]+)
**Option 3**
MUST_NOT_BREAK_AFTER=^[#
MUST_BREAK_AFTER=#]
SHOULD_LINEMERGE= true
If my log file contains all the lines from "[#|" to "|#]" PRIOR TO Splunk seeing the file for the first time, then the lines are successfully indexed as multiline events as follows:
**First event:**
[#|2019-01-31 11:04:34,712 | ERROR | some data
Logging important message |#]
However If my application is still in the process of writing to the log file, and Splunk indexes the file, then event-breaking is totally messed up. For example, my app would flush the following lines to the log at first:
[#|2019-01-31 11:04:34,712 | ERROR | some
and then couple of seconds later these additional lines are appended:
data Logging important message |#]
In this case I would get these events instead:
**First event:**
[#|2019-01-31 11:04:34,712 | ERROR | some
**Second event:**
data Logging important message |#]
The first and second events in this case should really have been combined as a single event, but during index time, Splunk "closed" the first event prematurely because my app had stopped writing to the log temporarily.
I want to see only one multiline event regardless of when or what my app writes to the log file. Is this possible via configuration changes in Splunk?
Regards
Senthil
↧