I've got the following in the log file:
[80c729cb-d0fd-48a1-bdc8-f46219bce681] signed_in_user=abcdef [80c729cb-d0fd-48a1-bdc8-f46219bce681] session_id=abcdef [80c729cb-d0fd-48a1-bdc8-f46219bce681] method="GET" path="/cart" format="html"....
Only the last line format is known. The initial lines can contain any format. Otherwise, they will all start with the same uuid.
And the following settings for props:
[rails_lograge] BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = false KV_MODE = auto_escaped MAX_TIMESTAMP_LOOKAHEAD = 250 MUST_BREAK_AFTER = \[[-0-9a-f]*\] method="[A-Z].* MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SHOULD_LINEMERGE = true TIME_PREFIX = time="
The log uses the correct sourcetype, however I cannot get the line merging to work as expected. Each line is a separate entry in the search output and it looks like the
SHOULD_LINEMERGE is just ignored, along with
What can I do to make these lines a single event?
(I'm using Splunk 6.1)
I've never used "MUSTBREAKAFTER" before, you can use BREAKONLYBEFORE instead, for the sample logs you have provided, the following conf. in props.conf is working fine:
[rails_lograge] BREAK_ONLY_BEFORE = \[[-0-9a-f]*\] signed.* BREAK_ONLY_BEFORE_DATE = false KV_MODE = auto_escaped MAX_TIMESTAMP_LOOKAHEAD = 250 SHOULD_LINEMERGE = true TIME_PREFIX = time="
This doesn't really fix my issue. I've got any number of different key-value pairs before the last line. They can be in any order and there isn't any known initial entry. The only known line is the last one.
I gave a try again with your configuration in the question and it worked fine on version 6.5.3
I see that you are using version 6.1 this it could be the reason, and also it is not working on 6.2 as per the first test I did.