I am struggling to break multi-line events correctly with source defined as monitor input. Occassionally, Splunk breaks events incorrectly. If I cleanup event index and _thefishbucket index, the event that had got incorrectly broken previously gets broken correctly the second time during reindexing.
My event log files are XML-formatted.
1 201096 13 9 2012-07-13T13:23:58.829881Z SCOTT oracle host.domain.com 1461 pts/0 1 BMF ACCOUNTS 3 0 15185818 1902324057 select * from bmf.accounts
1 201096 11 8 2012-07-13T13:23:49.209880Z SCOTT oracle host.domain.com 1461 pts/0 1 BMF ACCOUNTS 3 0 15185815 1902324057 select * from bmf.accounts
1 201096 10 7 2012-07-13T13:23:38.261471Z SCOTT oracle host.domain.com 1461 pts/0 1 BMF ACCOUNTS 3 0 15185812 1902324057 select count(*) from bmf.accounts
1 201096 5 5 2012-07-13T13:23:30.117440Z SCOTT oracle host.domain.com 1461 pts/0 1 SYSTEM PRODUCT_PRIVS 3 0 15185791 1902324057 SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((USER LIKE USERID) OR (USERID = 'PUBLIC')) AND (UPPER(ATTRIBUTE) = 'ROLES')
Here is my props.conf:
LINE_BREAKER=([\r\n]+)
TIME_PREFIX=
TZ=UTC
MAX_TIMESTAMP_LOOKAHEAD=27
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
MUST_BREAK_AFTER=
TRUNCATE=0
This is how one of the events had got broken:
estamp>2012-07-13T13:23:30.118117Z SCOTT oracle host.domain.com 1461 pts/0 1 SYS DUAL 3 0 15185791 1902324057 SELECT DECODE('A','A','1','2') FROM DUAL
As you might see the event should have got broken at " " tag, but it didn't break at that tag but it got broken in the middle of " " tag.
I will appreacite a quick reponse.
... View more