All Apps and Add-ons

How do you ask someone a question about their own answer?

wrangler2x
Motivator

I am having difficulty with properly indexing multi-line log entries from mssql errorlog files. This particular splunk question/answer is right on the subject: link text

He says that he has solved the problem, but does not give any real detail on how he did that. I clicked on his splunk loging name but on his page I don't see any way of contacting him. How can I do that?

0 Karma

dart
Splunk Employee
Splunk Employee

You can comment on the answer, which will send them an email notification.

I see you've already done that, so I'd guess he set up the config like this:

[mssql_error]
MUST_NOT_BREAK_AFTER = Logon\s+Error
0 Karma

wrangler2x
Motivator

That would take care of the entries which have a category string of Logon, but then there are a number of others. I don't see anything in the documentation that shows you can use MUST_NOT_BREAK_AFTER multiple times; how do you have multiple MUST_NOT_BREAK_AFTER regexes?
Also, I do not care about the Logon ones anyway. They are also logged in Windows Events, and I am already receiving them in another index in Splunk, so I filter them out. But there are a variety of multi-line entries in the errorlog that don't log in Windows Events I do want to index properly. No word from jchensor

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...