All Apps and Add-ons

How do you ask someone a question about their own answer?

wrangler2x
Motivator

I am having difficulty with properly indexing multi-line log entries from mssql errorlog files. This particular splunk question/answer is right on the subject: link text

He says that he has solved the problem, but does not give any real detail on how he did that. I clicked on his splunk loging name but on his page I don't see any way of contacting him. How can I do that?

0 Karma

dart
Splunk Employee
Splunk Employee

You can comment on the answer, which will send them an email notification.

I see you've already done that, so I'd guess he set up the config like this:

[mssql_error]
MUST_NOT_BREAK_AFTER = Logon\s+Error
0 Karma

wrangler2x
Motivator

That would take care of the entries which have a category string of Logon, but then there are a number of others. I don't see anything in the documentation that shows you can use MUST_NOT_BREAK_AFTER multiple times; how do you have multiple MUST_NOT_BREAK_AFTER regexes?
Also, I do not care about the Logon ones anyway. They are also logged in Windows Events, and I am already receiving them in another index in Splunk, so I filter them out. But there are a variety of multi-line entries in the errorlog that don't log in Windows Events I do want to index properly. No word from jchensor

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...