Hello,
We have a multiline event log setup and are noticing many events are not properly split.
The setup we're using is we monitor some log files with splunk forwarder and set an index and sourcetype there. The inputs.conf file on the forwarder looks like this:
[monitor:///path/to/logs/production*.log]
index = index_name
sourcetype = sourcetype_name
time_before_close = 120
Note here that we are monitoring multiple log files that are rotated with copy truncate, so they are always "live" and receive new data. This does not seem to have caused any trouble, especially with the long configured time_before_close . Also lines of events are not written to the files in a single write but in a streaming fashion.
On the splunk server we have configured the sourcetype to properly split the events with a props.conf file that looks like:
[sourcetype_name]
TRUNCATE = 0
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = Regex that begins the first line of events (and only that :)
MAX_EVENTS = 100000000
So while "most" events are properly split, some are broken in two or more. After some more digging it looks like it happens in a two minute interval per file so we imagine that it could be related to the time_before_close config.
Finally if it's of any relevance we're on splunk 5.0.2.
... View more