Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to merge multiline messages to one event

akanno
Communicator
‎05-02-2014 01:06 AM

Hi,splunkers

We want to index multiline log messages with no timestamp as one event.

But regular expression for multiline is difficult.

So now I try following configurations.

[source::/opt/mail1.log]

SHOULD_LINEMERGE = true

MAX_EVENTS=200

LINE_BREAKER = XXXXXXXXXXXXX

TRUNCATE = 50000

But it does not work.

first event is 200 lines messages event but next event is 1 line messages event.

I want to 200 lines messages per one event.

Is there any idea?

thank you for my help,

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-02-2014 12:51 PM

Try this

[source::/opt/mail1.log]
SHOULD_LINEMERGE = true
MAX_EVENTS=200
BREAK_ONLY_BEFORE=XXXXXXXXXXXX
TRUNCATE = 50000
DATETIME_CONFIG = NONE

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-02-2014 12:51 PM

Try this

[source::/opt/mail1.log]
SHOULD_LINEMERGE = true
MAX_EVENTS=200
BREAK_ONLY_BEFORE=XXXXXXXXXXXX
TRUNCATE = 50000
DATETIME_CONFIG = NONE
Reply
Solved! Jump to solution

akanno
Communicator
‎05-08-2014 06:53 PM

Sorry,
Mistake made by me.
This answer is good.
Thank you very much for lguinn ♦ .

0 Karma
Reply
Solved! Jump to solution

akanno
Communicator
‎05-07-2014 09:29 PM

inputs.conf is on universal forwarder for this input
props.conf is on indexer

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎05-07-2014 08:56 PM

So both your inputs.conf and your props.conf are on the indexer for this input?

0 Karma
Reply
Solved! Jump to solution

akanno
Communicator
‎05-06-2014 08:26 PM

It is on a indexer

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎05-06-2014 06:35 PM

Next question: where is your input? Is it on a forwarder? A universal forwarder or a heavy forwarder?

Where is your props.conf?

0 Karma
Reply
Solved! Jump to solution

akanno
Communicator
‎05-06-2014 05:55 PM

I tried this answer but I had the same result

0 Karma
Reply
Solved! Jump to solution

akanno
Communicator
‎05-02-2014 01:58 AM

Hi,lguinn ♦ thank you for comment
Assumed log is continuous with same messages
For example
Rejected at IN(default) filter: TCP
Rejected at IN(default) filter: TCP
Rejected at IN(default) filter: TCP

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎05-02-2014 01:08 AM

We need to see an example of your data. This is not enough information!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...