Keeping long events together

viraptor · ‎03-08-2017

I've got a log of rails requests which are mostly parsed correctly. Almost every request seems to be a single event with all the relevant lines included. That is apart from the long-running requests. It seems that everything taking over a few seconds is still split into the initial request event and a few lines of summary as separate entries.

The files are created per single-threaded workers, so there are never extra lines from different contexts in between. How can I force splunk to keep those lines together? Is there some timeout value I can adjust? I can't find anything obvious in the props.conf documentation.

somesoni2 · ‎03-09-2017

Those properties are available in inputs.conf.

time_before_close = <integer>
* Modification time delta required before the file monitor can close a file on
  EOF.
* Tells the system not to close files that have been updated in past <integer>
  seconds.
* Defaults to 3.

multiline_event_extra_waittime = [true|false]
* By default, the file monitor sends an event delimiter when:
  * It reaches EOF of a file it monitors and
  * Ihe last character it reads is a newline.
* In some cases, it takes time for all lines of a multiple-line event to
  arrive.
* Set to true to delay sending an event delimiter until the time that the
  file monitor closes the file, as defined by the 'time_before_close' setting,
  to allow all event lines to arrive.
* Defaults to false.

Keeping long events together

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms