Hi Splunk team,
I have Oracle logs export and i would like the whole content of the log file in a single event that includes all the line in my log file (only .log files). The log file looks like this :
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the OLAP and Data Mining options
Export done in WE8MSWIN1252 character set and AL16UTF16 NCHAR character set
Note: grants on tables/views/sequences/roles will not be exported
About to export specified users ...
. exporting pre-schema procedural objects and actions
. exporting foreign function library names for user TOTO
. exporting PUBLIC type synonyms
. exporting private type synonyms
. exporting object type definitions for user TOTO
About to export TOTO's objects ...
. exporting database links
. exporting sequence numbers
. exporting cluster definitions
. about to export TOTO's tables via Conventional Path ...
. . exporting table ACCOUNT 5 rows exported
... a lots of tables and rows exported
. exporting synonyms
. exporting views
. exporting stored procedures
. exporting operators
. exporting referential integrity constraints
. exporting triggers
. exporting indextypes
. exporting bitmap, functional and extensible indexes
. exporting posttables actions
. exporting materialized views
. exporting snapshot logs
. exporting job queues
. exporting refresh groups and children
. exporting dimensions
. exporting post-schema procedural objects and actions
. exporting statistics
Export terminated successfully without warnings.
Splunk put this log file in 2 events :
- one with the firsts 35 lines
- another event with the lines to the end of my log file
I want it to be in only 1 event and for the moment, i'm using the following configuration :
props.conf :
[Oracle]
SHOULD_LINEMERGE = true
MAX_EVENTS = 500000
BREAK_ONLY_BEFORE = !!!!!
CHARSET = AUTO
and my inputs.conf :
[monitor://E:\Oracle\Backup\Datapump]
disabled = false
whitelist = (?i).*.log$
sourcetype=Oracle
index = oracle
time_before_close = 60
I have tried many things but nothing is working.
Thanks !
... View more