Splunk is splitting each line into an event instead of grouping the whole block as one event. I've tried a few fixes for this host in C:\Program Files\Splunk\etc\system\local\props.conf. (I removed the actual IP below and replaced it with "hostname")
My ESXi host's hostd logs on the host look like below:
2016-08-08T19:16:29.145Z [3C481B70 error 'SoapAdapter']
--> Required parameter querySpec is missing
-->
--> while parsing call information for method QueryPerf
--> at line 1, column 285
-->
--> while parsing SOAP body
--> at line 1, column 271
-->
--> while parsing SOAP envelope
--> at line 1, column 38
-->
--> while parsing HTTP request for method queryStats
--> on object of type vim.PerformanceManager
--> at line 1, column 0
My props.conf additions look like the below:
This did nothing - events came in the same
[host::hostname]
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = true
No difference once again
[host::hostname]
TIME_PREFIX = (\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z)
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = true
This one removed the dates, but still broke it out on each line
[host::hostname]
LINE_BREAKER = (\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z)
Any ideas what I can do next? It seems like Splunk is finding a timestamp on each line, but I don't see where it's getting that.
Thanks!
... View more