Getting Data In

Why is multiline single event with sourcetype nginx:plus:kv intermittently showing?

rasikmhetre
Explorer

I am using the nginx app to ship nginx logs to Splunk, everything works well but intermittently I see a single event consisting of multiple nginx access loglines. 

Nginx app itself has an EventBreaker=enabled and Eventbreaker=regex. (This doesn't work 10-20% of the time).

Can someone please help or am I missing something?

My inputs.conf :

[monitor:///var/log/nginx-access.log]
index = artifactory
disabled = false
source = nginx-access
sourcetype = nginx:plus:kv

[monitor:///var/log/nginx-error.log]
disabled = false
sourcetype = nginx:plus:error
index = artifactory
source = nginx-error.

Nginx app has already created props.conf at Search head cluster.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@rasikmhetre - Please provide log samples (mask critical values). So we can help you write proper line breaker.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...