I am having difficulty with properly indexing multi-line log entries from mssql errorlog files. This particular splunk question/answer is right on the subject: link text
He says that he has solved the problem, but does not give any real detail on how he did that. I clicked on his splunk loging name but on his page I don't see any way of contacting him. How can I do that?
You can comment on the answer, which will send them an email notification.
I see you've already done that, so I'd guess he set up the config like this:
MUST_NOT_BREAK_AFTER = Logon\s+Error
That would take care of the entries which have a category string of Logon, but then there are a number of others. I don't see anything in the documentation that shows you can use MUST_NOT_BREAK_AFTER multiple times; how do you have multiple MUST_NOT_BREAK_AFTER regexes?
Also, I do not care about the Logon ones anyway. They are also logged in Windows Events, and I am already receiving them in another index in Splunk, so I filter them out. But there are a variety of multi-line entries in the errorlog that don't log in Windows Events I do want to index properly. No word from jchensor