Getting Data In

Multi-Line Syslog Interpretted as Separate Messages

Explorer

2011-03-09T11:21:34-04:00 ab-wtsk-mg3200-2 [Src=10.157.32.26/49842 Dst=4070 PType=6] ErrMgs=1 Cid=23: 1 RTP packets lost: CID=23
[Code:3700e] [Time: 8:21:13]

That's an example log from syslog-ng to a fifo pipe on my splunk server. it sends the same message to splunk via a UDP port.

Splunk is interpreting it as 2 separate log messages:

------ BEGIN TEXT SPLUNK DUMP HERE ------

3/9/11

11:21:13.000 AM

[Code:3700e] [Time: 8:21:13]

host=172.16.6.52 Alberta MG3200 Wetaskiwin ab-wtsk-mg3200-2   Options|  
sourcetype=syslog   Options|  
source=MST   Options

3/9/11

2:21:34.000 PM

Mar 9 11:21:34 ab-wtsk-mg3200-2 [Src=10.157.32.26/49842 Dst=4070 PType=6] ErrMgs=1 Cid=23: 1 RTP packets lost: CID=23

host=ab-wtsk-mg3200-2 Alberta MG3200 Wetaskiwin   Options|  
sourcetype=syslog   Options|  
source=MST   Options

------ END TEXT SPLUNK DUMP HERE ------

How can I stop this behaviour, and make it recognize it as a single log event?

0 Karma
1 Solution

Motivator

you could use the attributes BREAK_ONLY_BEFORE in your props.conf,for example if your sourcetype is syslog:

[syslog]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = <regular expression>

Here Configure linebreaking for multi-line events

There is explanation on different ways to do it.

View solution in original post

Motivator

you could use the attributes BREAK_ONLY_BEFORE in your props.conf,for example if your sourcetype is syslog:

[syslog]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = <regular expression>

Here Configure linebreaking for multi-line events

There is explanation on different ways to do it.

View solution in original post

Explorer

Thanks, I ended up using the following instead:


[syslog]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true

Since all of my traffic is being filtered by syslog-ng before going into splunk, I know it will all have a timestamp. That seems to have fixed my issue for me.

0 Karma