Is it possible to selectively line merge syslog-ng...

JSkier · ‎05-24-2017

I have a syslog server receiving and filtering into files and then forwarding data to my indexers. One source uses udp, and sometimes a single event gets truncated into typically two lines.

2017-05-24T12:40:19.694287-02:00 server1 blah: [timestamp] ..... [more stu -TRUNCATES-
2017-05-24T12:40:19.694287-02:00 server1 blah: ff this is a continuation of one event] status warn [end]

Is it possible to have Splunk selectively line merge when this happens? For example, most of events are one line and below the message limit, but occasionally these two liner snow flakes come along that need to be merged somehow.

I have looked at the sending appliance and it cannot up the msg size. Also, it can also only send out syslog via UDP so it is bound to the protocol limitation. I haven't seen much for syslog-ng filtering that can address this.

mjeffery_splunk · ‎05-26-2017

Can your network appliance be configured to send syslog over TCP instead?

Also, who makes this network appliance?

JSkier · ‎05-30-2017

It's a LoadBalancer.org appliance; uses rsyslog to send.

TCP still truncates, the sending from rsyslog does not seem to honor the message size setting of rsyslog.

Is it possible to selectively line merge syslog-ng truncated events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation