Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Log4g (via Syslog) not working for multiline indexing?

jeffwarn
Explorer
‎07-25-2013 11:45 AM

I'm working on trying to get our application server's log4j working so that events will show up in searches for multiline events as a single event. There is also a problem where there are "..." breaks where the multiple lines should just continue on.

Here is an example output:

2013-07-25 14:31:49,813 [pool-4-thread-1] INFO  net.app.security.Filter (269) - Exiting ClusteredLogoutFilter#sessionCreated - Timestamp : 1374777109813
----------------------------
ID: 843352
Address: /path/to/application
Http-Method: GET
Content-Type: application/json
Headers: {content-type=[application/json], connection=[Keep-Alive], host=[myhost.com], accept-language=[en-US,en;q=0.8], x-forwarded-for=[1.1.1.1, 2.2.2.2], optr_cxt=[01000f0001eb4515a7-bdfc-42a0-8b4a-498d89c...
...05a4008cc0a81-7ab4-4e73-81b6-0e7358e69e6eb2edbc79-1b21-4e3a-bcf1-0e1ecfa297031       ;usraddr=0.0.0.0;usrname=;], x-forwarded-host=[myserver, mytest], user-agent=[Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36], x-dds-access-path=[wan, prv], cookie=[JSESSIONID=C4E29C6715F5DDD7475CD2554EC4050B.myserver.env; __utma=43946937.444067536.1371496959.1371496959.1371562971.2; __utmz=43946937.1371496959.1.1.utmcsr=(...
...direct)|utmccn=(direct)|utmcmd=(none); LKC=22; LKCD=ltr; MODULEBASE=viewport; PAGEBASE=viewport%2Flogin%2F; MODULENAME=component; STGT=TGT-64657-z0sbkEt6gIbNzSobYudbakapZxoer5To3wI0hRkIsvU6mYPJLb-cas; osv-user-name=somebody; osv-user-remember=true; osv-user-org-continent=NA; SSOcookie=6C3E0895C362D9D2F76272B5930EF414.service; AppName=myapp; AppEnv=P], x-ssl=[0, 0], referer=...
...[somehost?os-cid=40006], accept-encoding=[gzip,deflate,sdch], x-forwarded-server=[fwd.server, otherhost], Content-Type=[application/json], Accept=[application/json]}
--------------------------------------

I assume that this is a problem within my log4j/syslog configuration on the sending server that is causing this?

The other thing, which I'm not sure that it's an issue is, say I search on "1.1.1.1" , only the line that has this will show up in the search, not the full set of lines that I'm expecting. I would have click on this entry and then do a "Show Source" to see the full lines.

Any ideas would be great. I have this in my config:

props.conf



[log4j] 

TRANSFORMS--strip-syslog = syslog-header-stripper-ts-host

[log4j]
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = true
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25

Thanks!
Jeff

Tags (3)
0 Karma
Reply

jeffwarn
Explorer
‎07-29-2013 01:46 PM

It looks like the syslog timestamp/hostname was not being stripped out in some cases.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...