Linebreaks in log4j files with splunk forwarder

Ido — Fri, 22 Jan 2021 08:18:14 GMT

Hi,

I have a log4j file where the lines are nog parsed correct.

can anyone help me with creating a sourcetype for splunk

When there is a date in the xml the line is broken (red) because of:

props.conf in de splunkforwarder client.

[log4j]
BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
pulldown_type = true
maxDist = 75
category = Application

What can i do to make this one line and only break when the line begins with a date

21 Jan 2021 15:11:25.832 [publicerenExecutorService18] INFO nl.anwb.flow.connector.publicerenhvstatus.PublicerenHvStatusConnectorStub - <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><PublicerenHulpverleningStatusRequest xmlns="http://anwb.nl/webservices/publiceren_hulpverlening_status_request/3">
<Header>
<BusinessProcesNaam>DistributieHulpverleningStatus</BusinessProcesNaam>
<BusinessTransactieReferentie>xxxxx</BusinessTransactieReferentie>
<BronSysteem>
<BronSysteemNaam>xx</BronSysteemNaam>
</BronSysteem>
<Volgorde>
<Indicator>2021-01-21T14:11:25.825Z</Indicator>
</Volgorde>
<AfleverKanaal>
<Code>xxxx</Code>
<AfleverPartij>
<Naam>xxxx.</Naam>
</AfleverPartij>
</AfleverKanaal>
<AfleverKanaal>
<Code>HV_ONLINE_INZAGE</Code>
<AfleverPartij>
<Naam>xxxx</Naam>
</AfleverPartij>
</AfleverKanaal>
<AfleverKanaal>
<Code>xx</Code>
<AfleverPartij>
<Naam>xxx</Naam>
</AfleverPartij>
</AfleverKanaal>
</Header>
</PublicerenHulpverleningStatusRequest></SOAP-ENV:Body></SOAP-ENV:Envelope>

Kind regards

Ido Dijkstra

Re: Linebreaks in log4j files with splunk forwarder

scelikok — Fri, 22 Jan 2021 09:26:32 GMT

Hi @Ido,

Please try below;

[log4j] TIME_FORMAT = %d %b %Y %H:%M:%S.%3N pulldown_type = true maxDist = 75 category = Application

If this reply helps you an upvote is appreciated.

topic Linebreaks in log4j files with splunk forwarder in Getting Data In

Linebreaks in log4j files with splunk forwarder

Re: Linebreaks in log4j files with splunk forwarder