Hi Splunkers,
I'm on an addon creation task, Glassfish in particular and, like other times I faced tese kind or request, I'm configuring the props.conf file.
In this configuration I'm facing the following issue: I know that events starts with two kind of character sequences:
- [#|
- Date in format month (3 letters) and day, so for example Jun 07
So, in BREAK_ONLY_BEFORE, i putted the following regex:
[\[\#\|] | [\w{3}\s\d{2}]
and it works fine.
A problem rise in the second case: when this events are present, they have a structure with many carriage return. Here a log sample:
Jun 07, 2022 8:29:52 PM <some_path_here>info
INFO: JVM invocation command line:
-XX:+UnlockDiagnosticVMOptions
-XX:MaxPermSize=<size>
-XX:PermSize=<size>
-XX:NewRatio=<size>
-Xms<size>
-Xmx4096m
<other lines that starts always with - symbol>
In such case, the default event line breaking split every info in this events in a different events. So, I set
SHOULD_LINEMERGE=1
but I have still problems; even with this configuration, the events are not properly merged. What I got are 3 different events splitted in such a way::
Jun 07, 2022 8:29:52 PM <some_path_here>info
first part of info starting with - symbol, so:
INFO: JVM invocation command line:
-XX:+UnlockDiagnosticVMOptions
-XX:MaxPermSize=<size>
-XX:PermSize=<size>
-XX:NewRatio=<size>
-Xms<size>
-Xmx4096m
remaining part of info starting with - symbol, so:
-Djavax.net.<remaining path>
-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=<value>
-DANTLR_USE_DIRECT_CLASS_LOADING=<value>
To fix this, I tried to use:
MUST_NOT_BREAK_AFTER=[\r\n]+
but it does not work. The event is still divided in the above 3 different parts.
How can I fix it?
