I have a syslog server receiving and filtering into files and then forwarding data to my indexers. One source uses udp, and sometimes a single event gets truncated into typically two lines.
2017-05-24T12:40:19.694287-02:00 server1 blah: [timestamp] ..... [more stu -TRUNCATES-
2017-05-24T12:40:19.694287-02:00 server1 blah: ff this is a continuation of one event] status warn [end]
Is it possible to have Splunk selectively line merge when this happens? For example, most of events are one line and below the message limit, but occasionally these two liner snow flakes come along that need to be merged somehow.
I have looked at the sending appliance and it cannot up the msg size. Also, it can also only send out syslog via UDP so it is bound to the protocol limitation. I haven't seen much for syslog-ng filtering that can address this.