Getting Data In

Help with line breaking

salles
Loves-to-Learn Lots

Guys, I'm trying to index some Syslog data from some F5's. The issue I have is, Splunk seems to recognize and break log lines correctly, a majority of the time, but, sometimes, lumps more than a single event into one event. There is not difference in the log lines. Here's an example:

2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_acc] 127.0.0.1 - - [05/May/2014:14:53:19 -0600] "/iControl/iControlPortal.cgi" 200 795

2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_acc] 127.0.0.1 - - [05/May/2014:14:53:19 -0600] "/iControl/iControlPortal.cgi" 200 950

The above 2 lines were correctly detected as two separate events.

However, all 7 lines below were detected as ONE event. They shouldn't because the time stamp is pretty clear on each log event.

2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_req][05/May/2014:14:53:19 -0600] 127.0.0.1 TLSv1 AES256-SHA "/iControl/iControlPortal.cgi" 950
2014-05-05 14:53:19 Local0.Notice 10.0.2.64 May 5 14:53:19 DR0-f5-02 notice bigd[7342]: 01060001:5: Service detected UP for ::ffff:10.0.36.23%149:443 monitor /Common/xxxx
2014-05-05 14:53:19 Local0.Notice 10.0.2.64 May 5 14:53:19 DR0-f5-02 notice mcpd[7130]: 01070727:5: Pool /Common/--test-- member /Common/dddd:0 monitor status up. [ /Common/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_HTTPS: up ] [ was down for 0hr:0min:6sec ]
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm1[10172]: 01010221:3: Pool /Common/--test-- now has available members
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm[10172]: 01010221:3: Pool /Common/--test-- now has available members
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm2[10172]: 01010221:3: Pool /Common/--test-- now has available members
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm3[10172]: 01010221:3: Pool /Common/--test-- now has available members

Could you guys give me any ideas for what would be going on, why does the 2 lines above get parsed correctly and not the following ones ?
Thank you guys, any help would be appreciated.

Tags (2)
0 Karma

lguinn2
Legend

I think it can happen when two events arrive "simultaneously" from the input. Or something. But it is very easy to fix.

In props.conf add this stanza (or add the statement to the existing stanza for the sourcetype)

[yoursourcetypehere]
SHOULD_LINEMERGE = false

This tells Splunk that every line is a separate event.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...