Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to parse multi-line mixed messages from rsyslog?

Rialf1959
Explorer
‎11-03-2017 01:36 AM

How to parse multi-line mixed messages from rsyslog?
There are a lot of data from lot of applications comming from Docker with syslog driver. All of these applications have proper syslog tag. Problem is that I cannot touch application code (Java). .... problem is multi-line stacktraces, these are flushed to docker stdout line by line. It means that rsyslog handle these lines as seperate messages.

I have tcp monitor in inputs.conf

What i see in splunk is:

<$pri>  $timestamp $host $syslogtag[$process]  $app_payload_msg

So for example:

<1> 2017-11-03T08:30:55.311256+01:00 myhost firstapp[1] 2017-11-03 08:31:55.31,301 ERROR  [myclass] Stacktrace1
<1> 2017-11-03T08:31:55.313649+01:00 myhost secondapp[1] 2017-11-03 08:31:55.31,301 WARN [myclass] message
<1> 2017-11-03T08:32:55.311256+01:00 myhost firstapp[1]      stacktraceline2
<1> 2017-11-03T08:33:55.311256+01:00 myhost firstapp[1]      stacktraceline3
<1> 2017-11-03T08:34:55.313649+01:00 myhost thirdapp[1] 2017-11-03 08:34:55.31,301 INFO [myclass] message
<1> 2017-11-03T08:35:55.311256+01:00 myhost firstapp[1]      stacktraceline4

I want these separate messsages group to events like:

  <1> 2017-11-03T08:30:55.311256+01:00 myhost firstapp[1] 2017-11-03 08:31:55.31,301 ERROR  [myclass] Stacktrace1
                             stacktraceline2
                             stacktraceline3
                             stacktraceline4
 <1> 2017-11-03T08:31:55.313649+01:00 myhost secondapp[1] 2017-11-03 08:31:55.31,301 WARN [myclass] message
 <1> 2017-11-03T08:34:55.313649+01:00 myhost thirdapp[1] 2017-11-03 08:34:55.31,301 INFO [myclass] message

Thanks

0 Karma
Reply

skalliger
Motivator
‎11-09-2017 11:35 PM

Recently a college asked me the same thing; how he could handle stack traces in multi-line events.

Stack traces usually have the same format - where the following lines are starting with something like "[...] caused by. [..]",
so I would write a RegEx which does a BREAK_ONLY_BEFORE. After that , you simply define a) your RegEx and b) an "OR" after your RegEx to do the event breaking after a new line feed (\n), something like this (just an example):

((?=stacktraceline|\n)

Just add a stanza with your sourcetype in your transforms.conf:

[your_sourcetype]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ((?=stacktraceline\d)|\n)

Skalli

edit: typo

0 Karma
Reply

outcoldman
Communicator
‎11-09-2017 07:08 PM

Not an answer on your question, but an alternative, we have build a collector and Monitoring Docker application, which handles multiline events as well. Certified Splunk application https://splunkbase.splunk.com/app/3723/

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...