- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Help with line breaking
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with line breaking
Guys, I'm trying to index some Syslog data from some F5's. The issue I have is, Splunk seems to recognize and break log lines correctly, a majority of the time, but, sometimes, lumps more than a single event into one event. There is not difference in the log lines. Here's an example:
2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_acc] 127.0.0.1 - - [05/May/2014:14:53:19 -0600] "/iControl/iControlPortal.cgi" 200 795
2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_acc] 127.0.0.1 - - [05/May/2014:14:53:19 -0600] "/iControl/iControlPortal.cgi" 200 950
The above 2 lines were correctly detected as two separate events.
However, all 7 lines below were detected as ONE event. They shouldn't because the time stamp is pretty clear on each log event.
2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_req][05/May/2014:14:53:19 -0600] 127.0.0.1 TLSv1 AES256-SHA "/iControl/iControlPortal.cgi" 950
2014-05-05 14:53:19 Local0.Notice 10.0.2.64 May 5 14:53:19 DR0-f5-02 notice bigd[7342]: 01060001:5: Service detected UP for ::ffff:10.0.36.23%149:443 monitor /Common/xxxx
2014-05-05 14:53:19 Local0.Notice 10.0.2.64 May 5 14:53:19 DR0-f5-02 notice mcpd[7130]: 01070727:5: Pool /Common/--test-- member /Common/dddd:0 monitor status up. [ /Common/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_HTTPS: up ] [ was down for 0hr:0min:6sec ]
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm1[10172]: 01010221:3: Pool /Common/--test-- now has available members
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm[10172]: 01010221:3: Pool /Common/--test-- now has available members
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm2[10172]: 01010221:3: Pool /Common/--test-- now has available members
2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm3[10172]: 01010221:3: Pool /Common/--test-- now has available members
Could you guys give me any ideas for what would be going on, why does the 2 lines above get parsed correctly and not the following ones ?
Thank you guys, any help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it can happen when two events arrive "simultaneously" from the input. Or something. But it is very easy to fix.
In props.conf add this stanza (or add the statement to the existing stanza for the sourcetype)
[yoursourcetypehere]
SHOULD_LINEMERGE = false
This tells Splunk that every line is a separate event.
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
