Hi,splunkers
We want to index multiline log messages with no timestamp as one event.
But regular expression for multiline is difficult.
So now I try following configurations.
[source::/opt/mail1.log]
SHOULD_LINEMERGE = true
MAX_EVENTS=200
LINE_BREAKER = XXXXXXXXXXXXX
TRUNCATE = 50000
But it does not work.
first event is 200 lines messages event but next event is 1 line messages event.
I want to 200 lines messages per one event.
Is there any idea?
thank you for my help,
Try this
[source::/opt/mail1.log]
SHOULD_LINEMERGE = true
MAX_EVENTS=200
BREAK_ONLY_BEFORE=XXXXXXXXXXXX
TRUNCATE = 50000
DATETIME_CONFIG = NONE
Try this
[source::/opt/mail1.log]
SHOULD_LINEMERGE = true
MAX_EVENTS=200
BREAK_ONLY_BEFORE=XXXXXXXXXXXX
TRUNCATE = 50000
DATETIME_CONFIG = NONE
Sorry,
Mistake made by me.
This answer is good.
Thank you very much for lguinn ♦ .
inputs.conf is on universal forwarder for this input
props.conf is on indexer
So both your inputs.conf
and your props.conf
are on the indexer for this input?
It is on a indexer
Next question: where is your input? Is it on a forwarder? A universal forwarder or a heavy forwarder?
Where is your props.conf
?
I tried this answer but I had the same result
Hi,lguinn ♦ thank you for comment
Assumed log is continuous with same messages
For example
Rejected at IN(default) filter: TCP
Rejected at IN(default) filter: TCP
Rejected at IN(default) filter: TCP
We need to see an example of your data. This is not enough information!