Getting Data In

Log4g (via Syslog) not working for multiline indexing?


I'm working on trying to get our application server's log4j working so that events will show up in searches for multiline events as a single event. There is also a problem where there are "..." breaks where the multiple lines should just continue on.

Here is an example output:

2013-07-25 14:31:49,813 [pool-4-thread-1] INFO (269) - Exiting ClusteredLogoutFilter#sessionCreated - Timestamp : 1374777109813
ID: 843352
Address: /path/to/application
Http-Method: GET
Content-Type: application/json
Headers: {content-type=[application/json], connection=[Keep-Alive], host=[], accept-language=[en-US,en;q=0.8], x-forwarded-for=[,], optr_cxt=[01000f0001eb4515a7-bdfc-42a0-8b4a-498d89c...
...05a4008cc0a81-7ab4-4e73-81b6-0e7358e69e6eb2edbc79-1b21-4e3a-bcf1-0e1ecfa297031       ;usraddr=;usrname=;], x-forwarded-host=[myserver, mytest], user-agent=[Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36], x-dds-access-path=[wan, prv], cookie=[JSESSIONID=C4E29C6715F5DDD7475CD2554EC4050B.myserver.env; __utma=43946937.444067536.1371496959.1371496959.1371562971.2; __utmz=43946937.1371496959.1.1.utmcsr=(...|utmccn=(direct)|utmcmd=(none); LKC=22; LKCD=ltr; MODULEBASE=viewport; PAGEBASE=viewport%2Flogin%2F; MODULENAME=component; STGT=TGT-64657-z0sbkEt6gIbNzSobYudbakapZxoer5To3wI0hRkIsvU6mYPJLb-cas; osv-user-name=somebody; osv-user-remember=true; osv-user-org-continent=NA; SSOcookie=6C3E0895C362D9D2F76272B5930EF414.service; AppName=myapp; AppEnv=P], x-ssl=[0, 0], referer=...
...[somehost?os-cid=40006], accept-encoding=[gzip,deflate,sdch], x-forwarded-server=[fwd.server, otherhost], Content-Type=[application/json], Accept=[application/json]}

I assume that this is a problem within my log4j/syslog configuration on the sending server that is causing this?

The other thing, which I'm not sure that it's an issue is, say I search on "" , only the line that has this will show up in the search, not the full set of lines that I'm expecting. I would have click on this entry and then do a "Show Source" to see the full lines.

Any ideas would be great. I have this in my config:


TRANSFORMS--strip-syslog = syslog-header-stripper-ts-host

TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N


Tags (3)
0 Karma


It looks like the syslog timestamp/hostname was not being stripped out in some cases.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...