Hello,
I have been fighting with this issue for the past few says and still cannot manage to solve it. After reading documentation, searching this forum and an abundant amount of googling, here I am.
My Puma log looks like this:
I, [2018-01-23T15:04:18.058127 #28] INFO -- : [cad63e92-848e-4f93-ac49-041569978447] Started GET "/api/oe/recent_searches.json" for 100.96.20.4 at 2018-01-23 15:04:18 +0000
I, [2018-01-23T15:04:18.059429 #28] INFO -- : [cad63e92-848e-4f93-ac49-041569978447] Processing by Api::Oe::RecentSearchesController#index as JSON
I, [2018-01-23T15:04:18.059492 #28] INFO -- : [cad63e92-848e-4f93-ac49-041569978447] Parameters: {"recent_search"=>{}}
D, [2018-01-23T15:04:18.063726 #28] DEBUG -- : [cad63e92-848e-4f93-ac49-041569978447] User Load (1.3ms) SELECT "users".* FROM "users" WHERE "users"."id" = $1 ORDER BY "users"."id" ASC LIMIT $2 [["id", 4], ["LIMIT", 1]]
D, [2018-01-23T15:04:18.067015 #28] DEBUG -- : [cad63e92-848e-4f93-ac49-041569978447] Search Load (1.1ms) SELECT "searches".* FROM "searches" WHERE "searches"."id" = 151
I, [2018-01-23T15:04:18.070320 #28] INFO -- : [cad63e92-848e-4f93-ac49-041569978447] [active_model_serializers] Rendered ActiveModel::Serializer::CollectionSerializer with ActiveModelSerializers::Adapter::Attributes (1.9ms)
I, [2018-01-23T15:04:18.070584 #28] INFO -- : [cad63e92-848e-4f93-ac49-041569978447] Completed 200 OK in 11ms (Views: 2.4ms | ActiveRecord: 2.4ms)
My first problem is that I cannot manage Splunk to split events correctly. Whatever I try I get one event per line. Could anybody provide a working example of a stanza that puts the above log in a single event?
The second problem is that sometimes log entries overlap with one another. In other words as one entry begins (Started GET...) another might start as well before the first one completes (Competed 200 OK...). When that happens the only way to discern one from the other is using the transaction id. Would it be possible to correctly split also these entries at index time?
Thank you
... View more