In the web form application, when new line is inserted (by hitting Enter key) in text area, it logs through Logger Factory, and gets sent over to Splunk Cloud. I've realized that this causes multiple events (per new line) instead of one single event.
It is logged in one single statement, however.
LOGGER.info(form.toString());
Is this default behavior? And is there way to make it single event?
Can you post a log example (sanitised if need be) which shows what the event should look like?
During the parsing phase, data from the input phase is broken up into individual events.
Splunks parsing phase determines where an event starts and the next one begins.
For multi line events Splunk tries to determine event boundaries by looking at the props.conf settings:
For example the line
- BREAK_ONLY_BEFORE_DATE = true (default)-->looks for a new line with a date at the start.
- MAX_EVENTS = 256 (default)--> Allows a maximum of 256 characters per event. (I suspect this might be your problem)
There are many more that you can use there...
Check https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking for all the details.
Hi mayurr98,
I appreciate for the feedback. I know for sure that it isn't 256 characters per event, as event gets created even with few characters. However, I agree that it may be way props.conf is configured. I'll look to see what is going on. Thanks!
yes sure check and let me know ! I may be wrong