Hi
I have a problem with an logifle wich has over 95% single line events and a few multiline events.
These multiline events have this format
START*A .....
....
....
....
END
How can I configure I splunk to keep this lines together as a one multiline event?
Thanks for your help
Rob
Yes, the inner multiline lines are indented with tabs
Then:
[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?:XSET|XGET|START|\?|XKS|XDEL)
may do it. Or,
[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?!(?:END|\t))
for best performance, you want to set SHOULD_LINEMERGE = false, which disables all rules other than LINE_BREAKER. but generally indexing performance is not a problem and so a clearer rule may be better.
I have played around with the data preview in the UI (really cool thing!) and found that this works too.
MUST_NOT_BREAK_AFTER=^START\*\w+\s
MUST_BREAK_AFTER=^END
SHOULD_LINEMERGE= true
In case of performance, did you recommend your solution with the LINE_BREAKER or my way?
Thank you very much for your help!
Rob
So, with the multi-line events, are the inner lines actually indented with spaces or tabs? Or is that just how you formatted it?
The single lines are really different
They begin with ..
XSET
XGET
START ......... END
?
XKS
XDEL
what do the single line events look like?