Hello, I am trying to merge two lines logs, but no luck with it
Splunk Enterprise 7.1.2
here is sample
{"log":"Apr 04, 2019 12:01:24 PM hudson.model.AsyncPeriodicWork$1 run\n", "stream":"stderr", "time":"2019-04-04T12:01:24.77173976Z", "kubernetes":{"pod_name":"jenkins-bdd89884d-4v6sd", "namespace_name":"001", "pod_id":"33c4a5bd-553a-11e9-8b8e-005056aea3a7", "labels":{"app":"jenkins", "pod-template-hash":"688454408"}, "host":"001", "container_name":"jenkins", "docker_id":"aa9ab26e108daf221b974d80ddf1e51d91b6b235698a4f4711a0313231649a10"}}
{"log":"INFO: Finished DockerContainerWatchdog Asynchronous Periodic Work. 2 ms\n", "stream":"stderr", "time":"2019-04-04T12:01:24.771743784Z", "kubernetes":{"pod_name":"jenkins-bdd89884d-4v6sd", "namespace_name":"001", "pod_id":"33c4a5bd-553a-11e9-8b8e-005056aea3a7", "labels":{"app":"jenkins", "pod-template-hash":"688454408"}, "host":"001", "container_name":"jenkins", "docker_id":"aa9ab26e108daf221b974d80ddf1e51d91b6b235698a4f4711a0313231649a10"}}
i have created regex that works well with sample log in Add Data, but not in "real world". it is matching {"log":" at the begging of the log and then date.
this is my local props.conf
[jsonCicd]
BREAK_ONLY_BEFORE = ^({\"log\":\")([A-Za-z]+)\s([0-9]+),\s([0-9]+)\s([0-9]+):([0-9]+):([0-9]+)\s([A,PM])
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Structured
description = cicd logs merging
pulldown_type = true
particular input has this sourcetype set
here is debug log
04-12-2019 08:46:25.086 +0000 DEBUG PropertiesMapConfig - Pattern 'jsonCicd' matches with priority 100
04-12-2019 08:46:25.086 +0000 DEBUG UTF8Processor - Done key received for: source::http:cicd|host::001:8088|jsonCicd|
04-12-2019 08:46:25.086 +0000 DEBUG UTF8Processor - Done key received for: source::http:cicd|host::001:8088|jsonCicd|
04-12-2019 08:46:25.086 +0000 DEBUG UTF8Processor - Done key received for: source::http:cicd|host::001:8088|jsonCicd|
04-12-2019 08:46:25.086 +0000 DEBUG UTF8Processor - Done key received for: source::http:cicd|host::001:8088|jsonCicd|
04-12-2019 08:46:25.086 +0000 INFO AggregatorMiningProcessor - Setting up line merging apparatus for: source::http:cicd|host::001:8088|jsonCicd|
which looks fine for me. I have tried multiple combinations, for example with time format etc, but result is still the same.
any ideas why I still can see two logs in search app, please?
↧