Re: Need to stop the events being Split

ashrafshareeb · ‎01-24-2019

Hi All,

I have a scenario where the events should not be split, but after trying a lot of options it still seems to be not working. Its an health check log,

Sample data

Relay is RUNNING - PID 123123
deal publisher is RUNNING - PID 80345
C ADAPTER is RUNNING - PID 99342
M ADAPTER is RUNNING - PID 662521
SMA is RUNNING - PID 12321321

I just want all them to be an single event, but it keeps on splitting in different ways.

In props.config,
[ehealth] TRUNCATE = 0 MAX_EVENTS = 5

I have tried SHOULD_LINEMERGE = true as well, but doesnt seems to be working. I just want no to break and all the 5 lines get indexed as a single event.

Thanks in advance.

ashrafshareeb · ‎02-21-2019

just an update on this issue(just in case anyone has the same issue) the events were being written in the log file with a delay, by default the time_before_close is 3 seconds. I had to change this to 5 seconds and also also set the multiline_event_extra_waittime=true in inputs.conf

time_before_close = 5
multiline_event_extra_waittime = true

From Splunk documentation on these parameters,
time_before_close = <integer>
* Modtime delta required before Splunk can close a file on EOF.
* Tells the system not to close files that have been updated in past
seconds.
* Defaults to 3.

multiline_event_extra_waittime = [true|false]
*By default, Splunk Enterprise sends an event delimiter when (1) it reaches EOF of a file it monitors and (2) the last char it reads is a newline.
*In some cases, it takes time for all lines of a multiple-line event to arrive.
*Set to true to delay sending an event delimiter until the time that Splunk Enterprise closes the file, as defined by the time_before_close attribute, to allow all event lines to arrive.
*Default to false.

woodcock · ‎01-25-2019

Use this:

[ehealth]
LINE_BREAKER = (?!)
SHOULD_LINEMERGE = false

ashrafshareeb · ‎01-26-2019

It has split all the 5 lines to single events. I want all the 5 lines to be a single event and not split at all

woodcock · ‎01-26-2019

I am quite certain that this configuration will work. It is highly likely that problem is not in the configuration settings but in your delpoyment or testing approach. Answer these questions.
1: Are you overriding/resetting/modifying the sourcetype using a setting in transforms.conf and if so, are you using the original sourcetype or the modified one (you MUST use the original one)?
2: Have you deployed this props.conf file to the FIRST FULL INSTANCE of splunk (e.g. HF/IF or Indexers)?
3: Have you restarted all Splunk instances on those nodes?
4: Are you using _index_earliest=-5m in your search SPL when you test to make sure that you are only looking at newly-indexed events?

ashrafshareeb · ‎01-28-2019

It's a distributed setup with 2 SH and 4 IDX
1. No transforms.conf
2. I have deployed it in the indexers through the deployment server
3. Yes, I have restarted all the splunk instances
4. I'm using last 15 min in the search time range picker.

woodcock · ‎01-28-2019

#4 is totally inadequate. You should use All time and _index_earliest=-5m. Most people do not have their events timestamped correctly.

ashrafshareeb · ‎01-29-2019

I have tried with All time and _index_earliest=-5m but still the same result. 5 lines in the above sample is getting split into 5 different events (with same time stamp). All those 5 lines should be a single event and not split at all

woodcock · ‎01-29-2019

Are you doing a sourcetype override? If so, you need to use the original sourcetype value, not the new ehealth value.

dkeck · ‎01-24-2019

HI,

if you set SHOULD_LINEMERGE=true you need another option

refer to this:https://docs.splunk.com/Documentation/SplunkCloud/7.1.3/Data/Configureeventlinebreaking#Attributes_t...

you could set BREAK_ONLY_BEFORE = ^Relay. If you know that your events always start like this

Tested it in splunk data upload, and I actually have the problem that splunk is not splitting the events until "BREAK_ONLY_BEFORE = ^Relay" is set. Not that some other conf is messing with your settings.

ashrafshareeb · ‎01-24-2019

Hi dkeck,

Thanks for the response.

I have tried the below props.conf and still its not working, the events are getting split differently each time.

SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE = ^Relay

The events start with Relay as shown in the sample, I have tried adding TRUNCATE=0 and MAX_EVENTS = 5 along with the above configs but doesn't make any difference

dkeck · ‎01-24-2019

Did you restart after you changed props?

ashrafshareeb · ‎01-25-2019

Apologies for late reply, I have restarted after the props.conf changes still no luck.

Need to stop the events being Split

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor