Re: Multiline Events sent from Universal Forwarde...

dshakespeare_sp · ‎03-09-2017

Customer is ingesting a custom log file. with multi-line events using a Splunk Universal Forwarder which sends data to a Splunk Heavy Forwarder.
The events should contain 20 lines, starting with an event seperator (a series or dashes), a new line, a date, a new line, data payload, followed by a new line. A new event is written once every minute.

When the event is indexed it is seen as 3 seperate events, the data payload, the date and finally the event sepetator.
The customer had tried every combination of LINE_BREAKER, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE, BREAK_ONLY_BEFORE_DATE, MUST_NOT_BREAK_AFTER, TRUNCATE, MAX_EVENTS etc in props.conf on the Heavy Forwarder, but the event was always broken incorrectly on the heavy forwarder.

dshakespeare_sp · ‎03-09-2017

The solution was found in the documentation for inputs.conf in $SPLUNK_HOME/etc/system/README/inputs.conf.spec

multiline_event_extra_waittime = [true|false]

By default, the file monitor sends an event delimiter when:

It reaches EOF of a file it monitors and

Ihe last character it reads is a newline.

In some cases, it takes time for all lines of a multiple-line event to arrive.

Set to true to delay sending an event delimiter until the time that the file monitor closes the file, as defined by the 'time_before_close' setting,
to allow all event lines to arrive.

Defaults to false.

Setting "multiline_event_extra_waittime = true" resolved the issue

Multiline Events sent from Universal Forwarder not breaking correctly

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases