https://community.splunk.com/t5/Getting-Data-In/How-to-merge-a-multiline-event-correctly/m-p/150614#M30631 <P>I have a problem that is similar to this topic :<BR /> <A href="http://answers.splunk.com/answers/188776/events-are-not-properly-split.html" target="_blank">http://answers.splunk.com/answers/188776/events-are-not-properly-split.html</A></P> <P>My log looks like this :</P> <PRE><CODE>Wed Jul 30 02:41:12 TAIST 2015 runstats on table TABLE1 DB20000I The RUNSTATS command completed successfully. Wed Jul 30 02:45:12 TAIST 2015 runstats on table TABLE2 SQLERROR : ... error message Wed Jul 30 02:47:30 TAIST 2015 runstats on table TABLE3 DB20000I The RUNSTATS command completed successfully. </CODE></PRE> <P>I want to group the three line into one event , so I could know the check status for each table.<BR /> but I find the SPLUNK will not wait the last line and group the event correctly , it will index the event as soon as possible.</P> <P>I means , Splunk will group the first two line into one group , and the third line is another "orphan" event, because the third line is usually being written after 2~3 seconds. </P> <P>My props.conf setting :</P> <PRE><CODE>[reorg_out] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = true TIME_FORMAT = %a %b %d %H:%M:%S TAIST %Y </CODE></PRE> <P>I had tried a lot of different settings about LINE MERGE , like : BREAK_ONLY_BEFORE , LINE_BREAK , MUST_NOT_BREAK_AFTER ... etc<BR /> It is not working...</P> <P>What should I do to tell Splunk wait the last log and group the multiline event correctly ?</P> Tue, 29 Sep 2020 06:51:18 GMT leo_wang 2020-09-29T06:51:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-merge-a-multiline-event-correctly/m-p/150614#M30631 <P>I have a problem that is similar to this topic :<BR /> <A href="http://answers.splunk.com/answers/188776/events-are-not-properly-split.html" target="_blank">http://answers.splunk.com/answers/188776/events-are-not-properly-split.html</A></P> <P>My log looks like this :</P> <PRE><CODE>Wed Jul 30 02:41:12 TAIST 2015 runstats on table TABLE1 DB20000I The RUNSTATS command completed successfully. Wed Jul 30 02:45:12 TAIST 2015 runstats on table TABLE2 SQLERROR : ... error message Wed Jul 30 02:47:30 TAIST 2015 runstats on table TABLE3 DB20000I The RUNSTATS command completed successfully. </CODE></PRE> <P>I want to group the three line into one event , so I could know the check status for each table.<BR /> but I find the SPLUNK will not wait the last line and group the event correctly , it will index the event as soon as possible.</P> <P>I means , Splunk will group the first two line into one group , and the third line is another "orphan" event, because the third line is usually being written after 2~3 seconds. </P> <P>My props.conf setting :</P> <PRE><CODE>[reorg_out] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = true TIME_FORMAT = %a %b %d %H:%M:%S TAIST %Y </CODE></PRE> <P>I had tried a lot of different settings about LINE MERGE , like : BREAK_ONLY_BEFORE , LINE_BREAK , MUST_NOT_BREAK_AFTER ... etc<BR /> It is not working...</P> <P>What should I do to tell Splunk wait the last log and group the multiline event correctly ?</P> Tue, 29 Sep 2020 06:51:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-merge-a-multiline-event-correctly/m-p/150614#M30631 leo_wang 2020-09-29T06:51:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-merge-a-multiline-event-correctly/m-p/150615#M30632 <P>You need to use this <CODE>inputs.conf</CODE> setting:</P> <PRE><CODE>time_before_close = &lt;integer&gt; * Modtime delta required before Splunk can close a file on EOF. * Tells the system not to close files that have been updated in past &lt;integer&gt; seconds. * Defaults to 3. </CODE></PRE> Fri, 31 Jul 2015 13:29:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-merge-a-multiline-event-correctly/m-p/150615#M30632 woodcock 2015-07-31T13:29:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-merge-a-multiline-event-correctly/m-p/150616#M30633 <P>I used "time_before_close" setting in my pervious test.<BR /> Unfortunately , it's still not working.</P> Tue, 29 Sep 2020 06:51:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-merge-a-multiline-event-correctly/m-p/150616#M30633 leo_wang 2020-09-29T06:51:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-merge-a-multiline-event-correctly/m-p/150617#M30634 <P>What setting did you use? I would go as high as 10 seconds. If you cannot make this work, then the only other thing I can think to do is to create your own pre-processing script to act as intermediary and send the events form the original file to another file (with Splunk monitoring the second one) in bundled batches.</P> Sun, 02 Aug 2015 00:50:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-merge-a-multiline-event-correctly/m-p/150617#M30634 woodcock 2015-08-02T00:50:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-merge-a-multiline-event-correctly/m-p/150618#M30635 <P>It seems someone has the same issue, but still can't find the answer for this...<BR /> <A href="http://answers.splunk.com/answers/207258/is-there-a-way-to-tell-splunk-how-long-to-wait-for.html">http://answers.splunk.com/answers/207258/is-there-a-way-to-tell-splunk-how-long-to-wait-for.html</A></P> <P>I know writing scripts for those files might be the solution.<BR /> But it will make the things complicated and not easy to maintain in the future.<BR /> Anyone has the suggestion ?</P> Tue, 04 Aug 2015 02:44:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-merge-a-multiline-event-correctly/m-p/150618#M30635 leo_wang 2015-08-04T02:44:07Z