Here's the scenario. I have a log file in Windows that looks like this:
c:\Program Files\server-program>server-command do-stuff-here-to-user joeschmo
Command executed successfully.
c:\Program Files\server-program>server-command do-stuff-here-to-user invaliduser
Error: Unable to execute server command. The user with name 'invaliduser' could not be found.
I have the Universal Forwarder on this server monitoring the log successfully. I want the events in Splunk to look like they do in the log, with one event per log entry. I've had to set up linemerging on the indexer in order to get things to look right (without it, log entries would be broken into events in ways I don't want), but I'm still dealing with a problem. Log entries that end successfully are linemerged the way I want, but entries that end with an error are still broken into separate events (one event for the command, and another for the error message output).
I've determined this is due to the frequency at which the UF polls the log. Running a command successfully takes less than a second to write both lines to the log, so they appear within the same polling cycle. But if a command fails, it's about a 3 second delay between writing the first line (the command) and the second (the error message output).
How do I get Splunk to either poll this file less frequently, or merge the events together? Below is what I currently have in props.conf on the indexer. Thanks!
[MyCustomSourcetype]
LINE_BREAKER = ([\r\n]+)
BREAK_ONLY_BEFORE = c:\\Program
SHOULD_LINEMERGE = true
Experiment with different values of time_before_close
in the forwarder's inputs.conf file. See Monitor files and directories with inputs.conf or inputs.conf.spec.