Re: Need help for line breaking

RobertRi · ‎11-19-2013

Hi

I have a problem with an logifle wich has over 95% single line events and a few multiline events.

These multiline events have this format

START*A .....
   ....
   ....
   ....
END

How can I configure I splunk to keep this lines together as a one multiline event?

Thanks for your help
Rob

RobertRi · ‎11-19-2013

Yes, the inner multiline lines are indented with tabs

gkanapathy · ‎11-19-2013

Then:

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?:XSET|XGET|START|\?|XKS|XDEL)

may do it. Or,

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?!(?:END|\t))

gkanapathy · ‎11-19-2013

for best performance, you want to set SHOULD_LINEMERGE = false, which disables all rules other than LINE_BREAKER. but generally indexing performance is not a problem and so a clearer rule may be better.

RobertRi · ‎11-19-2013

I have played around with the data preview in the UI (really cool thing!) and found that this works too.

MUST_NOT_BREAK_AFTER=^START\*\w+\s
MUST_BREAK_AFTER=^END
SHOULD_LINEMERGE= true

In case of performance, did you recommend your solution with the LINE_BREAKER or my way?

Thank you very much for your help!
Rob

gkanapathy · ‎11-19-2013

So, with the multi-line events, are the inner lines actually indented with spaces or tabs? Or is that just how you formatted it?

RobertRi · ‎11-19-2013

The single lines are really different
They begin with ..

XSET
XGET
START ......... END
?
XKS
XDEL

gkanapathy · ‎11-19-2013

what do the single line events look like?

Need help for line breaking

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel