All Apps and Add-ons

How do you ask someone a question about their own answer?

wrangler2x
Motivator

I am having difficulty with properly indexing multi-line log entries from mssql errorlog files. This particular splunk question/answer is right on the subject: link text

He says that he has solved the problem, but does not give any real detail on how he did that. I clicked on his splunk loging name but on his page I don't see any way of contacting him. How can I do that?

0 Karma

dart
Splunk Employee
Splunk Employee

You can comment on the answer, which will send them an email notification.

I see you've already done that, so I'd guess he set up the config like this:

[mssql_error]
MUST_NOT_BREAK_AFTER = Logon\s+Error
0 Karma

wrangler2x
Motivator

That would take care of the entries which have a category string of Logon, but then there are a number of others. I don't see anything in the documentation that shows you can use MUST_NOT_BREAK_AFTER multiple times; how do you have multiple MUST_NOT_BREAK_AFTER regexes?
Also, I do not care about the Logon ones anyway. They are also logged in Windows Events, and I am already receiving them in another index in Splunk, so I filter them out. But there are a variety of multi-line entries in the errorlog that don't log in Windows Events I do want to index properly. No word from jchensor

0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...