Hi Splunkers,
I'm on an addon creation task, Glassfish in particular and, like other times I faced tese kind or request, I'm configuring the props.conf file.
In this configuration I'm facing the ...
See more...
Hi Splunkers,
I'm on an addon creation task, Glassfish in particular and, like other times I faced tese kind or request, I'm configuring the props.conf file.
In this configuration I'm facing the following issue: I know that events starts with two kind of character sequences:
[#|
Date in format month (3 letters) and day, so for example Jun 07
So, in BREAK_ONLY_BEFORE, i putted the following regex:
[\[\#\|] | [\w{3}\s\d{2}]
and it works fine.
A problem rise in the second case: when this events are present, they have a structure with many carriage return. Here a log sample:
Jun 07, 2022 8:29:52 PM <some_path_here>info
INFO: JVM invocation command line:
-XX:+UnlockDiagnosticVMOptions
-XX:MaxPermSize=<size>
-XX:PermSize=<size>
-XX:NewRatio=<size>
-Xms<size>
-Xmx4096m
<other lines that starts always with - symbol>
In such case, the default event line breaking split every info in this events in a different events. So, I set
SHOULD_LINEMERGE=1
but I have still problems; even with this configuration, the events are not properly merged. What I got are 3 different events splitted in such a way::
Jun 07, 2022 8:29:52 PM <some_path_here>info
first part of info starting with - symbol, so:
INFO: JVM invocation command line:
-XX:+UnlockDiagnosticVMOptions
-XX:MaxPermSize=<size>
-XX:PermSize=<size>
-XX:NewRatio=<size>
-Xms<size>
-Xmx4096m
remaining part of info starting with - symbol, so:
-Djavax.net.<remaining path>
-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=<value>
-DANTLR_USE_DIRECT_CLASS_LOADING=<value>
To fix this, I tried to use:
MUST_NOT_BREAK_AFTER=[\r\n]+
but it does not work. The event is still divided in the above 3 different parts.
How can I fix it?