Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype.

yg
Explorer
‎07-10-2018 05:09 PM

Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype.

To split the events I used in props.conf
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

Although all the regular info-level log records have the timestamps, without this configuration some log records would be merged together into the same Splunk event probably because of the very high data density coming from this log.

Here is the issue:
Sometimes the log would have an "exception" record spanned across multiple lines with the lines number 2 and after not having the timestamp in them but they mostly would start with "\sat\s" pattern. It would look like this:
<info-level record>
<the start of the exception record>
<tab>at ...
<tab>at ...
<tab>at ...
<tab>at ...
<info-level record>
<info-level record>

I added
MUST_NOT_BREAK_BEFORE = \sat\s
to the sourcetype stanza but it didn't help and the exception was broken into multiple Splunk events after the indexing.

Is there a way to keep the exception as one Splunk event without affecting the regular info-level log records?

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-11-2018 02:34 AM

Amend your LINE_BREAKER to look for a timestamp-y part after the carriage-return/newline. That way it'll only break if there's actually a next event following, not if a multi-line event is present.

MUST_NOT_BREAK_BEFORE is useless here because it affects the aggregator / line merger. You've correctly turned that off because you're using the more efficient LINE_BREAKER.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-11-2018 02:34 AM

Amend your LINE_BREAKER to look for a timestamp-y part after the carriage-return/newline. That way it'll only break if there's actually a next event following, not if a multi-line event is present.

MUST_NOT_BREAK_BEFORE is useless here because it affects the aggregator / line merger. You've correctly turned that off because you're using the more efficient LINE_BREAKER.

Reply
Solved! Jump to solution

yg
Explorer
‎07-17-2018 08:03 AM

Thank you! It did work. This configuration removed the time from the beginning of the Splunk events but there are system timestamps (_time).

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...