Guys, I'm trying to index some Syslog data from some F5's. The issue I have is, Splunk seems to recognize and break log lines correctly, a majority of the time, but, sometimes, lumps more than a single event into one event. There is not difference in the log lines. Here's an example:
2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_acc] 127.0.0.1 - - [05/May/2014:14:53:19 -0600] "/iControl/iControlPortal.cgi" 200 795
2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_acc] 127.0.0.1 - - [05/May/2014:14:53:19 -0600] "/iControl/iControlPortal.cgi" 200 950
The above 2 lines were correctly detected as two separate events.
However, all 7 lines below were detected as ONE event. They shouldn't because the time stamp is pretty clear on each log event.
2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_req][05/May/2014:14:53:19 -0600] 127.0.0.1 TLSv1 AES256-SHA "/iControl/iControlPortal.cgi" 950
2014-05-05 14:53:19 Local0.Notice 10.0.2.64 May 5 14:53:19 DR0-f5-02 notice bigd[7342]: 01060001:5: Service detected UP for ::ffff:10.0.36.23%149:443 monitor /Common/xxxx
2014-05-05 14:53:19 Local0.Notice 10.0.2.64 May 5 14:53:19 DR0-f5-02 notice mcpd[7130]: 01070727:5: Pool /Common/--test-- member /Common/dddd:0 monitor status up. [ /Common/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_HTTPS: up ] [ was down for 0hr:0min:6sec ]
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm1[10172]: 01010221:3: Pool /Common/--test-- now has available members
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm[10172]: 01010221:3: Pool /Common/--test-- now has available members
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm2[10172]: 01010221:3: Pool /Common/--test-- now has available members
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm3[10172]: 01010221:3: Pool /Common/--test-- now has available members
Could you guys give me any ideas for what would be going on, why does the 2 lines above get parsed correctly and not the following ones ?
Thank you guys, any help would be appreciated.
... View more