Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using linemerge to merge events

cwwirth
Explorer
‎02-15-2016 10:49 AM

Here's the scenario. I have a log file in Windows that looks like this:

c:\Program Files\server-program>server-command do-stuff-here-to-user joeschmo 
Command executed successfully.

c:\Program Files\server-program>server-command do-stuff-here-to-user invaliduser 
Error: Unable to execute server command. The user with name 'invaliduser' could not be found.

I have the Universal Forwarder on this server monitoring the log successfully. I want the events in Splunk to look like they do in the log, with one event per log entry. I've had to set up linemerging on the indexer in order to get things to look right (without it, log entries would be broken into events in ways I don't want), but I'm still dealing with a problem. Log entries that end successfully are linemerged the way I want, but entries that end with an error are still broken into separate events (one event for the command, and another for the error message output).

I've determined this is due to the frequency at which the UF polls the log. Running a command successfully takes less than a second to write both lines to the log, so they appear within the same polling cycle. But if a command fails, it's about a 3 second delay between writing the first line (the command) and the second (the error message output).

How do I get Splunk to either poll this file less frequently, or merge the events together? Below is what I currently have in props.conf on the indexer. Thanks!

[MyCustomSourcetype]
LINE_BREAKER = ([\r\n]+)
BREAK_ONLY_BEFORE = c:\\Program
SHOULD_LINEMERGE = true
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2016 11:33 AM

Experiment with different values of time_before_close in the forwarder's inputs.conf file. See Monitor files and directories with inputs.conf or inputs.conf.spec.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...