https://community.splunk.com/t5/Splunk-Enterprise/SHOULD-LINEMERGE-from-HEC-props-conf/m-p/526927#M3970 <P>On Kubernetes environment there is installed Fluentd Splunk plugin which sends to Heavy Forwarder, via HEC, the standard output application logs.</P><P>The&nbsp;standard output application logs are not structured and I'm not able to&nbsp; apply line merge to them.</P><P>My input.conf is:</P><P>[http://k8s_hec]<BR />disabled = 0<BR />index = em_events<BR />source = em_metrics<BR />token = aaaaaaaa-bbbb-cccc-dddd-fffffffffff</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Fluentd defined many sourcetypes, and all custom applications sourcetypes end with "app";&nbsp; for example:&nbsp;</P><UL><LI><SPAN>kube:container:goofy-app</SPAN></LI><LI><SPAN>kube:container:donald-duck-app</SPAN></LI></UL><P>&nbsp;</P><P><SPAN>So I defined these two configurations in props.conf inside my HF, but I'm not able to merge events:</SPAN></P><P>[kube:container:*-app]<BR />SHOULD_LINEMERGE=true<BR />LINE_BREAKER=([\r\n]+)<BR />NO_BINARY_CHECK=true<BR />CHARSET=UTF-8<BR />MAX_TIMESTAMP_LOOKAHEAD=30<BR />disabled=false<BR />TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N<BR />TIME_PREFIX=^<BR />MAX_EVENTS=1024</P><P>[source::k8s_hec]<BR />SHOULD_LINEMERGE=true<BR />LINE_BREAKER=([\r\n]+)<BR />NO_BINARY_CHECK=true<BR />CHARSET=UTF-8<BR />MAX_TIMESTAMP_LOOKAHEAD=30<BR />disabled=false<BR />TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N<BR />TIME_PREFIX=^<BR />MAX_EVENTS=1024</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Someone can help me?</P> Wed, 28 Oct 2020 17:01:49 GMT robertosegantin 2020-10-28T17:01:49Z https://community.splunk.com/t5/Splunk-Enterprise/SHOULD-LINEMERGE-from-HEC-props-conf/m-p/526927#M3970 <P>On Kubernetes environment there is installed Fluentd Splunk plugin which sends to Heavy Forwarder, via HEC, the standard output application logs.</P><P>The&nbsp;standard output application logs are not structured and I'm not able to&nbsp; apply line merge to them.</P><P>My input.conf is:</P><P>[http://k8s_hec]<BR />disabled = 0<BR />index = em_events<BR />source = em_metrics<BR />token = aaaaaaaa-bbbb-cccc-dddd-fffffffffff</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Fluentd defined many sourcetypes, and all custom applications sourcetypes end with "app";&nbsp; for example:&nbsp;</P><UL><LI><SPAN>kube:container:goofy-app</SPAN></LI><LI><SPAN>kube:container:donald-duck-app</SPAN></LI></UL><P>&nbsp;</P><P><SPAN>So I defined these two configurations in props.conf inside my HF, but I'm not able to merge events:</SPAN></P><P>[kube:container:*-app]<BR />SHOULD_LINEMERGE=true<BR />LINE_BREAKER=([\r\n]+)<BR />NO_BINARY_CHECK=true<BR />CHARSET=UTF-8<BR />MAX_TIMESTAMP_LOOKAHEAD=30<BR />disabled=false<BR />TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N<BR />TIME_PREFIX=^<BR />MAX_EVENTS=1024</P><P>[source::k8s_hec]<BR />SHOULD_LINEMERGE=true<BR />LINE_BREAKER=([\r\n]+)<BR />NO_BINARY_CHECK=true<BR />CHARSET=UTF-8<BR />MAX_TIMESTAMP_LOOKAHEAD=30<BR />disabled=false<BR />TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N<BR />TIME_PREFIX=^<BR />MAX_EVENTS=1024</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Someone can help me?</P> Wed, 28 Oct 2020 17:01:49 GMT https://community.splunk.com/t5/Splunk-Enterprise/SHOULD-LINEMERGE-from-HEC-props-conf/m-p/526927#M3970 robertosegantin 2020-10-28T17:01:49Z https://community.splunk.com/t5/Splunk-Enterprise/SHOULD-LINEMERGE-from-HEC-props-conf/m-p/526959#M3974 <P>Have you looked at the indexed data to see if it's arriving in the expected format?</P><P>&nbsp;</P> Wed, 28 Oct 2020 19:34:03 GMT https://community.splunk.com/t5/Splunk-Enterprise/SHOULD-LINEMERGE-from-HEC-props-conf/m-p/526959#M3974 richgalloway 2020-10-28T19:34:03Z https://community.splunk.com/t5/Splunk-Enterprise/SHOULD-LINEMERGE-from-HEC-props-conf/m-p/527027#M3980 <P>To be more clear I update the events indexed:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="indexed_data.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11562i72FE78471691FFD5/image-size/large?v=v2&amp;px=999" role="button" title="indexed_data.png" alt="indexed_data.png" /></span></P><P>I need to merge all these events received via HEC.</P><P>If I read these events in a classical way, via log reading, with a more simple configuration, Splunk is able to merge them:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="adddata.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11563i4F5BEF100997662D/image-size/large?v=v2&amp;px=999" role="button" title="adddata.png" alt="adddata.png" /></span></P><P>&nbsp;</P><P>I hope that is not a limit about HEC method.</P><P>Thanks</P> Thu, 29 Oct 2020 08:59:05 GMT https://community.splunk.com/t5/Splunk-Enterprise/SHOULD-LINEMERGE-from-HEC-props-conf/m-p/527027#M3980 robertosegantin 2020-10-29T08:59:05Z https://community.splunk.com/t5/Splunk-Enterprise/SHOULD-LINEMERGE-from-HEC-props-conf/m-p/527051#M3981 <P>humm, your props doesnt really tell how to merge.</P><P>One possible solution would be to add date form at the end of your LINE_BREAKER</P> Thu, 29 Oct 2020 10:17:03 GMT https://community.splunk.com/t5/Splunk-Enterprise/SHOULD-LINEMERGE-from-HEC-props-conf/m-p/527051#M3981 maraman_splunk 2020-10-29T10:17:03Z https://community.splunk.com/t5/Splunk-Enterprise/SHOULD-LINEMERGE-from-HEC-props-conf/m-p/541671#M5071 <P>you need to use the concat filter to line merge these events BEFORE HEC. Please see multiline filter rules in Splunk Connect for Kubernetes</P><P><A href="https://github.com/splunk/splunk-connect-for-kubernetes#processing-multi-line-logs" target="_blank">https://github.com/splunk/splunk-connect-for-kubernetes#processing-multi-line-logs</A></P><P>Concat filter plugin is used and make sure the HEC payload makes it to Splunk already line-merged.&nbsp;</P><P>There are gnarly props and transforms hack to do this work but it is better at the collector or in Data Stream Processor or other stream proc products out there. This is because the container runtimes themselves don't even support multiline logging at this point</P> Sun, 28 Feb 2021 14:27:49 GMT https://community.splunk.com/t5/Splunk-Enterprise/SHOULD-LINEMERGE-from-HEC-props-conf/m-p/541671#M5071 mattymo 2021-02-28T14:27:49Z