Hi,
I have rails requests which take more then 15 sec. Rails write to the production.log in 2 steps.
It seem that splunk create 2 events from each part on the prints to the log.
It there a way to tell splunk to wait till the end of the log message print for XX seconds?
Thanks,
Aviram
Is your application using a write buffer, or a slow process and writing slowly the events in chunk (cutting events in the middle of the line ? )
you can use the setting time_before_close in inputs.conf on the forwarders for this monitor, to force Splunk to wait longer before detecting the EOF.
see http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Inputsconf
time_before_close =
* Modtime delta required before Splunk can close a file on EOF.
* Tells the system not to close files that have been updated in past
* Defaults to 3.