Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Log4j events line-break not consistent

banderson7
Communicator
‎03-30-2016 06:54 AM

I'm bringing in alfresco logs, in this case share.log and for the most part the events are broken up by line correctly

09:30:32,256 DEBUG [com.XXXXX.alfresco.services.search.AbstractSolrService]      Nothing to push to Solr

, until they're not

09:30:42,405 DEBUG [com.XXXXX.alfresco.services.search.sync.AlfrescoToSolrSyncTrackerComponent] 
09:30:42,405 DEBUG [com.XXXXX.alfresco.services.search.sync.AlfrescoToSolrSyncTrackerComponent] Processing 0 orphaned content
09:30:42,405 DEBUG [com.XXXXX.alfresco.services.search.AbstractSolrService]    Processing Deletes: 0
09:30:42,405 DEBUG [com.XXXXX.alfresco.services.search.AbstractSolrService]      Nothing to push to Solr
09:30:42,405 INFO  [com.XXXXX.alfresco.services.search.sync.AlfrescoToSolrSyncTrackerComponent] Alfresco-Solr Sync Alfresco Stats: Total Folders: 737; Total Documents: 44587
09:30:42,405 INFO  [com.XXXXX.alfresco.services.search.sync.AlfrescoToSolrSyncTrackerComponent] Alfresco-Solr Sync Solr Stats: Already In Solr: 44586; Created: 1; Updated: 0; Removed: 0; Orphaned: 0
09:30:42,413 DEBUG [com.XXXXX.alfresco.services.search.sync.AlfrescoToSolrSyncTrackerComponent] Alfresco To Solr Push Sync: Job finished

My props is thus:

[XXXXXX:uat:alfresco]
LINE_BREAKER = ([\r\n]+)
#BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
pulldown_type = true
maxDist = 75
category = Application

Neither line breaker nor BREAK_ONLY_BEFORE have worked on this correctly. What am I doing wrong? Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-30-2016 07:46 AM

You need to add this (defaults to true; keep everything else as you showed it:

SHOULD_LINEMERGE=false

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-30-2016 07:46 AM

You need to add this (defaults to true; keep everything else as you showed it:

SHOULD_LINEMERGE=false
Reply
Solved! Jump to solution

banderson7
Communicator
‎03-30-2016 07:57 AM

No change, unfortunately.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-30-2016 08:15 AM

You have to restart splunk on all the indexers and it will only effect NEWLY INDEXED events.

0 Karma
Reply
Solved! Jump to solution

banderson7
Communicator
‎03-30-2016 08:22 AM

So this is not a search time property addition? Ok, thanks.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-30-2016 08:30 AM

That is correct.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2016 07:21 AM

What seems to be the problem? The line breaks look OK to me. Or is the second example a single event?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

banderson7
Communicator
‎03-30-2016 07:27 AM

The second example shows as one event but it's 7 events in the log.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...