Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to parse multi-line mixed messages from rs...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to parse multi-line mixed messages from rsyslog?
Rialf1959
Explorer
11-03-2017
01:36 AM
How to parse multi-line mixed messages from rsyslog?
There are a lot of data from lot of applications comming from Docker with syslog driver. All of these applications have proper syslog tag. Problem is that I cannot touch application code (Java). .... problem is multi-line stacktraces, these are flushed to docker stdout line by line. It means that rsyslog handle these lines as seperate messages.
I have tcp monitor in inputs.conf
What i see in splunk is:
<$pri> $timestamp $host $syslogtag[$process] $app_payload_msg
So for example:
<1> 2017-11-03T08:30:55.311256+01:00 myhost firstapp[1] 2017-11-03 08:31:55.31,301 ERROR [myclass] Stacktrace1
<1> 2017-11-03T08:31:55.313649+01:00 myhost secondapp[1] 2017-11-03 08:31:55.31,301 WARN [myclass] message
<1> 2017-11-03T08:32:55.311256+01:00 myhost firstapp[1] stacktraceline2
<1> 2017-11-03T08:33:55.311256+01:00 myhost firstapp[1] stacktraceline3
<1> 2017-11-03T08:34:55.313649+01:00 myhost thirdapp[1] 2017-11-03 08:34:55.31,301 INFO [myclass] message
<1> 2017-11-03T08:35:55.311256+01:00 myhost firstapp[1] stacktraceline4
I want these separate messsages group to events like:
<1> 2017-11-03T08:30:55.311256+01:00 myhost firstapp[1] 2017-11-03 08:31:55.31,301 ERROR [myclass] Stacktrace1
stacktraceline2
stacktraceline3
stacktraceline4
<1> 2017-11-03T08:31:55.313649+01:00 myhost secondapp[1] 2017-11-03 08:31:55.31,301 WARN [myclass] message
<1> 2017-11-03T08:34:55.313649+01:00 myhost thirdapp[1] 2017-11-03 08:34:55.31,301 INFO [myclass] message
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
skalliger
Motivator
11-09-2017
11:35 PM
Recently a college asked me the same thing; how he could handle stack traces in multi-line events.
Stack traces usually have the same format - where the following lines are starting with something like "[...] caused by. [..]",
so I would write a RegEx which does a BREAK_ONLY_BEFORE. After that , you simply define a) your RegEx and b) an "OR" after your RegEx to do the event breaking after a new line feed (\n), something like this (just an example):
((?=stacktraceline|\n)
Just add a stanza with your sourcetype in your transforms.conf:
[your_sourcetype]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ((?=stacktraceline\d)|\n)
Skalli
edit: typo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
outcoldman
Communicator
11-09-2017
07:08 PM
Not an answer on your question, but an alternative, we have build a collector and Monitoring Docker application, which handles multiline events as well. Certified Splunk application https://splunkbase.splunk.com/app/3723/
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
