All Apps and Add-ons

How do you ask someone a question about their own answer?

wrangler2x
Motivator

I am having difficulty with properly indexing multi-line log entries from mssql errorlog files. This particular splunk question/answer is right on the subject: link text

He says that he has solved the problem, but does not give any real detail on how he did that. I clicked on his splunk loging name but on his page I don't see any way of contacting him. How can I do that?

0 Karma

dart
Splunk Employee
Splunk Employee

You can comment on the answer, which will send them an email notification.

I see you've already done that, so I'd guess he set up the config like this:

[mssql_error]
MUST_NOT_BREAK_AFTER = Logon\s+Error
0 Karma

wrangler2x
Motivator

That would take care of the entries which have a category string of Logon, but then there are a number of others. I don't see anything in the documentation that shows you can use MUST_NOT_BREAK_AFTER multiple times; how do you have multiple MUST_NOT_BREAK_AFTER regexes?
Also, I do not care about the Logon ones anyway. They are also logged in Windows Events, and I am already receiving them in another index in Splunk, so I filter them out. But there are a variety of multi-line entries in the errorlog that don't log in Windows Events I do want to index properly. No word from jchensor

0 Karma
Get Updates on the Splunk Community!

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...