- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to merge multiline messages to one event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,splunkers
We want to index multiline log messages with no timestamp as one event.
But regular expression for multiline is difficult.
So now I try following configurations.
[source::/opt/mail1.log]
SHOULD_LINEMERGE = true
MAX_EVENTS=200
LINE_BREAKER = XXXXXXXXXXXXX
TRUNCATE = 50000
But it does not work.
first event is 200 lines messages event but next event is 1 line messages event.
I want to 200 lines messages per one event.
Is there any idea?
thank you for my help,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
[source::/opt/mail1.log]
SHOULD_LINEMERGE = true
MAX_EVENTS=200
BREAK_ONLY_BEFORE=XXXXXXXXXXXX
TRUNCATE = 50000
DATETIME_CONFIG = NONE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
[source::/opt/mail1.log]
SHOULD_LINEMERGE = true
MAX_EVENTS=200
BREAK_ONLY_BEFORE=XXXXXXXXXXXX
TRUNCATE = 50000
DATETIME_CONFIG = NONE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry,
Mistake made by me.
This answer is good.
Thank you very much for lguinn ♦ .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf is on universal forwarder for this input
props.conf is on indexer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So both your inputs.conf and your props.conf are on the indexer for this input?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is on a indexer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Next question: where is your input? Is it on a forwarder? A universal forwarder or a heavy forwarder?
Where is your props.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this answer but I had the same result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,lguinn ♦ thank you for comment
Assumed log is continuous with same messages
For example
Rejected at IN(default) filter: TCP
Rejected at IN(default) filter: TCP
Rejected at IN(default) filter: TCP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We need to see an example of your data. This is not enough information!
Splunk Platform | Upgrading your Splunk Deployment to Python 3.9
From Product Design to User Insights: Boosting App Developer Identity on Splunkbase
Detect and Resolve Issues in a Kubernetes Environment
