Getting Data In

Merge lines from rotated file

chclemence
Explorer

Hello,

I have some difficulties to ingest properly logs from rotated file, where the rotation is fully handled by an application, without any settings about its log files.

In some cases, it rotates the log file in the middle of an event, and before the timestamp.

Like this:

file.log.1

[category][event][reason][host][timestamp]...

[category][event][reason][host][timestamp]...

[category][event][reason]

Note: there is no new line or carriage return at tne end of the file

file.log

[host][timestamp]...

[category][event][reason][host][timestamp]...

[category][event][reason][host][timestamp]...

I have some events with an additional line in plain text (no brackets), so at first I let the line merger do its job, but for the splitted line between the 2 log files, it does not work as the first line does not contain the timestamp, and it is added to the previous event.

So, I disabled line merging and started to build a line breaker, resulting in this:

(?:\[[^]]*\][\r\n]*){24}\[[^]]*\](?:[^\[\]]*)([\r\n]+)

This is because the log line is made of 25 blocks between brackets, and optionally a second line.

It works very good on a test file when the splitted line is in the same file, but once the 2 parts of the line are in different files ... it does not work anymore 😞

Do you have any advice on how I could handle that ?

Labels (3)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...