On the main indexer (IE not the universal forwarder as that only fires data over and does nto process it)
In the directory
[wherever you have put the main Splunk indexer]\Splunk\etc\system\local
NB this dir is where you put your own additions to the config files for splunk so you don’t mess with the original ones.
In the file
props.conf (You may need to create one of these if one does not exist)
Add
[source::vmstat]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = memTotalMB
This (I believe) tells splunk to allow line merge (SHOULD_LINEMERGE). Then BREAK_ONLY_BEFORE tells splunk what to look for to break on. So in the case of vmstat this is the first element on the first line of the output so splunk will break the event on that. So it will see one of these and break all date before the string. Then continue merging lines intil it sees another instance of the string and does a break so all info between the 2 becomes 1 event.
... View more