For your first problem. There is a difference between what splunk considers an event, and what you are considering an event. Or more correctly, the splunk concept of an event doesn't line up with how rails generates it's logs. An event in splunk parlance is an atomic data point in a logfile. As far as splunk is concerned, the single rails event of 'page load' is comprised of several splunk 'single line' events. There is no way, without writing a pre-parser, to get all the constituent lines comprising a single rails event to be joined into a single Splunk event.
All is not doom and gloom however. Once splunk ingests the many lines of log data from your rails logs. You can join those lines together at search time into a single result. You can either use the splunk 'transaction' command, or the considerably faster 'stats' command to join them together. For starters I'd recommend using the 'transaction' command, as it's easier to figure out how to join the lines together.
Fortunately, rails includes their event id field (I forget it's true name) in the lines of their logs, so it's easy to join them together, the hardest part is going to be writing the regex to extract that field the first time. I haven't tested, but something like this should work:
| rex field=_raw ":\s\[(?P<event_id>[a-z0-9-]+)\]"
You could then take that a step further and move that setting into props.conf for the sourcetype in question, so that the event_id is extracted automatically.
EXTRACT-eventid = :\s\[(?P<event_id>[a-z0-9-]+)\]
Sorry I couldn't give you the answer you were hoping for, but hopefully that helps a bit.
... View more
