I have a log generated from log4j:
an event of this log could be described by the following:
Fri Jan 04 2013 13:05:34,114 EST ERROR wavemark.webapp.interceptors.WmExceptionInterceptor - WaveMarkException occurred
wavemark.common.exceptions.WaveMarkException: Error while calling method [getReportData] in delegate [ReportSessionDelegate]
at wavemark.webapp.delegates.ReportSessionDelegate.getReportData(ReportSessionDelegate.java:52)
...multipleline
RepName, LastCabinetID, ExpectedDeliveryDate From MFR_MissingItem_RP, DB, N/A, dany.ostamdtru, null, 2013-03-06 10:58:30.974, 170, MEDTRONIC]
Query: InsertObjectQuery(wavemark.core.entities.PerformanceTiming@1d46a898)
at org.eclipse.persistence.internal.jpa.EntityManagerImpl.flush(EntityManagerImpl.java:699)
The above event contain 2 date one in the header top of the event and one on a line ( the second dates could exist or not ) depending on the stacktrace.
The Question why Splunk index this a 2 separated event and how to prevent from this to happen. I only need Splunk to consider what begin with a date as a single event.
The default behavior is to consider a new timestamp to be a new event. You can do a couple of things:
If these don't work, you might have to resort to the following:
The default behavior is to consider a new timestamp to be a new event. You can do a couple of things:
If these don't work, you might have to resort to the following:
do you think i need a LINE_BREAKER in my case?
\w{3}\s\w{3}\s\d{2}\s\d{4}\s\d{2}:\d{2}:\d{2}
Yes, you're right that it's props.conf. The stanza name will depend upon on what you have defined for the sourcetype of the data in inputs.conf. Let's say it's called "mylog4j". The stanza would then look like:
See strftime.net for hints on the format characters in TIME_FORMAT.
[mylog4j]
TIME_FORMAT = %a %b %d %Y %H:%M:%S,%3N %z
MAX_TIMESTAMP_LOOKAHEAD = 30
In the props.conf ?
Thanks for the Hint, but where should i edit this parameters? Can you give me an example?