I'm experiencing an issue where logging to splunk over the network (either via TCP or UDP) sometimes chunks multiple lines into the same log entry. Is there any way to force these entries to be split as splunk receives them from the port?
You probably want to use LINE_BREAKER in your props.conf. See the following link for a detailed description:
http://www.splunk.com/base/Documentation/latest/Admin/Indexmulti-lineevents
If this isn't particularly helpful, could you describe the data in more detail? If you could provide a sample of what your seeing, that might be useful in clarifying the situation.
Thanks for the link! It looks like setting SHOULD_LINEMERGE to false fixed the problem.
You probably want to use LINE_BREAKER in your props.conf. See the following link for a detailed description:
http://www.splunk.com/base/Documentation/latest/Admin/Indexmulti-lineevents
If this isn't particularly helpful, could you describe the data in more detail? If you could provide a sample of what your seeing, that might be useful in clarifying the situation.