I have a process that writes to a log file in 8 KB chunks when the buffer becomes full. What will happen is once the buffer is full, it will write to the log. After it writes, the last line will be partially chopped off.
This is line 1 - Other details here\r\n
This is line 2 - Other details he
Once the buffer becomes full, it will continue to write to the same line.
This is line 1 - Other details here\r\n
This is line 2 - Other details here\r\n
This is line 3 - Other details here\r\n
This is line 4 - Other details he
I've read a few articles which uses SHOULD_LINEMERGE=true and BREAK_ONLY_BEFORE = \r\n but that didn't seem to work as I still see partially complete lines in Splunk.
[my_source]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = \n
pulldown_type = 1
REPORT-myname = client_delim
Do you know what I am missing?
↧