Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype.

yg
Explorer
‎07-10-2018 05:09 PM

Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype.

To split the events I used in props.conf
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

Although all the regular info-level log records have the timestamps, without this configuration some log records would be merged together into the same Splunk event probably because of the very high data density coming from this log.

Here is the issue:
Sometimes the log would have an "exception" record spanned across multiple lines with the lines number 2 and after not having the timestamp in them but they mostly would start with "\sat\s" pattern. It would look like this:
<info-level record>
<the start of the exception record>
<tab>at ...
<tab>at ...
<tab>at ...
<tab>at ...
<info-level record>
<info-level record>

I added
MUST_NOT_BREAK_BEFORE = \sat\s
to the sourcetype stanza but it didn't help and the exception was broken into multiple Splunk events after the indexing.

Is there a way to keep the exception as one Splunk event without affecting the regular info-level log records?

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-11-2018 02:34 AM

Amend your LINE_BREAKER to look for a timestamp-y part after the carriage-return/newline. That way it'll only break if there's actually a next event following, not if a multi-line event is present.

MUST_NOT_BREAK_BEFORE is useless here because it affects the aggregator / line merger. You've correctly turned that off because you're using the more efficient LINE_BREAKER.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-11-2018 02:34 AM

Amend your LINE_BREAKER to look for a timestamp-y part after the carriage-return/newline. That way it'll only break if there's actually a next event following, not if a multi-line event is present.

MUST_NOT_BREAK_BEFORE is useless here because it affects the aggregator / line merger. You've correctly turned that off because you're using the more efficient LINE_BREAKER.

Reply
Solved! Jump to solution

yg
Explorer
‎07-17-2018 08:03 AM

Thank you! It did work. This configuration removed the time from the beginning of the Splunk events but there are system timestamps (_time).

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...