I've configured my splunk to recieve data from syslog via udp. The application uses a SyslogAppender in it's log4j configuration.
I edited my props.conf to get multiline log messages as a single event in splunk.
So far everything works fine.
But there's a timestamp and ip, wich (i believe) is generated by splunk, as prefix of every single line in an multiline event. This timestamp/IP prefix reduces readability of log messages dramaticaly.
Therefore I would like to know if there's a way to make splunk not to display these information in every single line?
here's an example of an event as displayed in splunk:
Jan 18 12:08:26 10.228.45.52 ERROR [18.01.12 12:08:26] RequestCycle - Too many path parts,
please provide sufficient number of path parameter names [thread: http-8080-16]
Jan 18 12:08:26 10.228.45.52 java.lang.IllegalArgumentException: Too many path parts, please provide sufficient number of path parameter names
Jan 18 12:08:26 10.228.45.52 at org.apache.wicket.request.target.coding.MixedParamUrlCodingStrategy.decodeParameters(MixedParamUrlCodingStrategy.java:178)
Jan 18 12:08:26 10.228.45.52 at org.apache.wicket.request.target.coding.BookmarkablePageRequestTargetUrlCodingStrategy.decode()
The 'Jan 18 12:08:26 10.228.45.52' timestamp/IP part is the one I would like not to diplay at all, or display only at the very begining of each event.
Thanks in advance for your help!
... View more