How to include medium-large texts with the events?

unitedmarsupial · ‎02-10-2020

I'm developing an inotify-based daemon to report core-dumps occasionally occurring in a directory.

Reporting the fact of the crash is easy, but we also want to include the debugger's output (showing the full stack at the time of crash).

Should I make that simply one large text-field (with multiple newlines):

{
    "PID": 1111,
    "stack": "#0  0x00000001 in ?? ()\n#1  0x28098e5f in xo_attr (name=0x5 <Address 0x5 out of bounds>, fmt=0x0) ...."
}

or a list of lines:

{
     "PID": 1111,
     "stack": [
        "#0  0x00000001 in ?? ()",
        "#1  0x28098e5f in xo_attr (name=0x5 <Address 0x5 out of bounds>, fmt=0x0)",
       ...
     ]
}

Are there technical pluses/minuses to either approach, or is it just a matter of taste? For example, would Splunk's additional tools (such as the Patterns-seeker) prefer one method over another?

PavelP · ‎02-10-2020

you have to increase (or set to zero for this sourcetype) TRUNCATE in props.conf for the first example if the length can exceed 10000 bytes.

the probability that the regex find a wrong match is higher for a very long line (depends on your regex).

from the other side, Splunk best practices are to keep mulitline events to a minimum:
https://dev.splunk.com/enterprise/docs/developapps/logging/loggingbestpractices/#Keep-multi-line-eve...

to4kawa · ‎02-10-2020

props.conf

LINE_BREAKER = ([\r\n]+)|\\\n

and add SEDCMD

How to include medium-large texts with the events?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life