Re: Splunk timing issue when forwarding log file

brent_weaver · ‎09-21-2015

I am having an issue with a particular log file where two entries get concatenated into one entry. It is not the data because if I take take the same data and add it via file upload it is fine, meaning all lines are unique. Has anyone else had an issue like this? It seems that it is a timing problem that the host if forwarding the same time the file is being written... Is this perhaps the result of the log file not being locked when written to???

Any help is appreciated. Thanks!

pradeepkumarg · ‎09-21-2015

You need to set line breaking property in your props.conf

http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/propsconf

LINE_BREAKER = <regular expression>
* Specifies a regex that determines how the raw text stream is broken into initial events,

brent_weaver · ‎09-22-2015

Does this still apply when the issue only happen sometimes? It is the same file, it just seems that the file get fwd before it is done being written.

Splunk timing issue when forwarding log file

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation