Currently we are monitoring a directory with batch jobs logs in it and it is not breaking correctly.
[monitor:///home/prod/department/interface/joblogs/*]
sourcetype = joblogs
index = finance
disabled = false
And I am trying to break the files up here.
[joblogs]
BREAK_ONLY_BEFORE = (E r r o r\s+L o g|J o b\s+L o g)
NO_BINARY_CHECK=1
SHOULD_LINEMERGE = True
We are setting the source to the log file name so each different file has a unique source name. I do not want to change the sourcetype name or split the sourcetypes by file. Ideally I am looking to break each file into one event based on the source so that each different file would be 1 event within the index. It is currently breaking the logs into several events.
No problem, do this
[joblogs]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE = false
LINE_BREAKER = ((*FAIL))
TRUNCATE = 99999999
I used this answer for the info.
No problem, do this
[joblogs]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE = false
LINE_BREAKER = ((*FAIL))
TRUNCATE = 99999999
I used this answer for the info.
Thank you I believe this will do the trick, I will double check in the AM after the batch jobs have run tonight.
Does the word "Error Log" really have spaces between every letter like that? Literally "E r r o r L o g
" or is it possible that you have some kind of character set issue? (like UTF-16 or something). That's a long-shot, but it may be relevant.
Could you post a few samples? And also, indicate
at what points the file is currently being broken.