Splunk Search

Keeping long events together

New Member

I've got a log of rails requests which are mostly parsed correctly. Almost every request seems to be a single event with all the relevant lines included. That is apart from the long-running requests. It seems that everything taking over a few seconds is still split into the initial request event and a few lines of summary as separate entries.

The files are created per single-threaded workers, so there are never extra lines from different contexts in between. How can I force splunk to keep those lines together? Is there some timeout value I can adjust? I can't find anything obvious in the props.conf documentation.

Tags (2)
0 Karma

Revered Legend

Those properties are available in inputs.conf.

time_before_close = <integer>
* Modification time delta required before the file monitor can close a file on
  EOF.
* Tells the system not to close files that have been updated in past <integer>
  seconds.
* Defaults to 3.

multiline_event_extra_waittime = [true|false]
* By default, the file monitor sends an event delimiter when:
  * It reaches EOF of a file it monitors and
  * Ihe last character it reads is a newline.
* In some cases, it takes time for all lines of a multiple-line event to
  arrive.
* Set to true to delay sending an event delimiter until the time that the
  file monitor closes the file, as defined by the 'time_before_close' setting,
  to allow all event lines to arrive.
* Defaults to false.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!