Hi
I have a script which gather each db and display the schema, name, tablesapce indexspace and date from each table
It looks like this
schema name tablesapce indexspace date
SYS Table1 3434 3432 2013-01-22
SYS Table2 34535 33 2013-01-22
When I get an event under 257 Tables, they were displayed as one event.
If I get and event whit more than 257 Tables then the first event is a 257 line event and the other hundrets of events are single line events.
I have set MAX_EVENTS = 5000 in the inputs.conf and restarted the forwarder but without success
Do you have any hints how I get this events as one multiline event?
Thanks
Rob
Hi Stefano
I have used the following in the props.conf on the forwarder to keep the multiline event together.
[sourcetype]
SHOULD_LINEMERGE = true
MAX_EVENTS = 5000
now the events are gathered together
Hi Stefano
I have used the following in the props.conf on the forwarder to keep the multiline event together.
[sourcetype]
SHOULD_LINEMERGE = true
MAX_EVENTS = 5000
now the events are gathered together
you gave me the necessary hint, thanks
sorry, I thought you were asking how to split lines in single events 🙂 Glad you've found the solution anyway!
BTW SHOULD_LINEMERGE is set True by default so you won't need to specify it in props.conf 🙂
in props.conf set SHOULD_LINEMERGE parameter for this particular input to false
[sourcetype]
SHOULD_LINEMERGE = false
By default it's set to true, so Splunk will assume that until a line breaker event is found (e.g. a timestamp) all the following data are grouped in one single event. After 256 lines, Splunk automatically cut the event.