Hi,
I configured dbconnect as tail-input on a Oracle database.
My problem is when I found a record with a multiline cell, usually when a SQL query is stored inside the cell.
Splunk split that record: there is a way to avoid it?
For example:
field1 | field2 | field3
ID | TIMESTAMP | SELECT * FROM TABLE;
works fine.
field1 | field2 | field3
ID | TIMESTAMP | SELECT * FROM TABLE
WHERE someoption blablabla;
Got me 2 events, and the second one is "WHERE someoption blablabla;" , without any interesting fields, so it cannot be correlated correctly to any other fields.
Any hints?
Regards
what does your db-tail input look like?
I can get multiline events broken down ok without actually touching props.conf...
Do you have multiline key-value output.format set?
output.format = mkv
what does your db-tail input look like?
I can get multiline events broken down ok without actually touching props.conf...
Do you have multiline key-value output.format set?
output.format = mkv
mkv solved my issue.
Now I'll works on new props/transforms regex, but now splunk splits records correctly.
ciao
have you tried configuring props.conf with linemerging?
Yes, True first and then False.
I tried a non-matching truncate regexp too.