Archive

MUST_BREAK_AFTER seems ignored

New Member

I've got the following in the log file:

[80c729cb-d0fd-48a1-bdc8-f46219bce681] signed_in_user=abcdef
[80c729cb-d0fd-48a1-bdc8-f46219bce681] session_id=abcdef
[80c729cb-d0fd-48a1-bdc8-f46219bce681] method="GET" path="/cart" format="html"....

Only the last line format is known. The initial lines can contain any format. Otherwise, they will all start with the same uuid.

And the following settings for props:

[rails_lograge]
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = false
KV_MODE = auto_escaped
MAX_TIMESTAMP_LOOKAHEAD = 250
MUST_BREAK_AFTER = \[[-0-9a-f]*\] method="[A-Z].*
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
SHOULD_LINEMERGE = true
TIME_PREFIX = time="

The log uses the correct sourcetype, however I cannot get the line merging to work as expected. Each line is a separate entry in the search output and it looks like the SHOULD_LINEMERGE is just ignored, along with MUST_BREAK_AFTER.

What can I do to make these lines a single event?

(I'm using Splunk 6.1)

0 Karma

Builder

Hello,

I've never used "MUSTBREAKAFTER" before, you can use BREAKONLYBEFORE instead, for the sample logs you have provided, the following conf. in props.conf is working fine:

 [rails_lograge]
 BREAK_ONLY_BEFORE = \[[-0-9a-f]*\] signed.*
 BREAK_ONLY_BEFORE_DATE = false
 KV_MODE = auto_escaped
 MAX_TIMESTAMP_LOOKAHEAD = 250
 SHOULD_LINEMERGE = true
 TIME_PREFIX = time="

Regards

0 Karma

New Member

This doesn't really fix my issue. I've got any number of different key-value pairs before the last line. They can be in any order and there isn't any known initial entry. The only known line is the last one.

0 Karma

Builder

I gave a try again with your configuration in the question and it worked fine on version 6.5.3

I see that you are using version 6.1 this it could be the reason, and also it is not working on 6.2 as per the first test I did.

0 Karma