no one?
logs to index by splunk look like this i might add
2011-07-11T00:09:59+02:00 host4 [2011-07-11 00:09:59.093 1972DB90 verbose 'App'] [VpxaVMAP::Invoke] Command output:
2011-07-11T02:09:59+02:00 host4 -z -shortname=host4 -uname=VMkernel -cmd=monitornodes -domain=vmware
2011-07-11T02:09:59+02:00 host4 FT_ISOLATION_TIME=1
2011-07-11T02:09:59+02:00 host4 09:58 [print_args ] LD_LIBRARY_PATH=/lib:/usr/lib:/opt/vmware/aam/lib:/opt/vmware/vpxa/vpx:
2011-07-11T02:09:59+02:00 host4 00:09:58 [print_args ] PWD=/var/log/vmware/vpx
2011-07-11T02:09:59+02:00 host4 /usr/sbin:/bin:/usr/bin:/opt/vmware/aam/bin:/bin
2011-07-11T02:09:59+02:00 host4 00:09:58 [print_args ] cmd=monitornodes
2011-07-11T02:09:59+02:00 host4 58 [print_args ] domain=vmware
2011-07-11T02:09:59+02:00 host4
2011-07-11T02:09:59+02:00 host4 CMD: /opt/vmware/aam/bin/ftcli -domain vmware -port 8042 -timeout 5 -cmd listnodes
2011-07-11T02:09:59+02:00 host4 the master primary ***
2011-07-11T02:09:59+02:00 host4 host4 Primary Agent Running
2011-07-11T02:09:59+02:00 host4 58 [issue_cmd ] hvmc43 Primary Agent Running
2011-07-11T02:09:59+02:00 host4 00:09:58 [issue_cmd ] CMD: /bin/ping -c 1 192.168.0.254
2011-07-11T02:09:59+02:00 host4 56 data bytes
2011-07-11T02:09:59+02:00 host4 09:58 [issue_cmd ] 1 packets transmitted, 1 packets received, 0% packet loss
2011-07-11T02:09:59+02:00 host4 VMwareresult=success
2011-07-11T00:09:59+02:00 host4
2011-07-11T00:09:59+02:00 host4 [2011-07-11 00:09:59.093 1972DB90 verbose 'App'] [VpxaVMAP::Invoke] Command returned successfully
2011-07-11T00:09:59+02:00 host4 [2011-07-11 00:09:59.755 195A7B90 verbose 'SoapAdapter.HTTPService'] User agent is 'VMware-client/4.1.0'
Splunk indexes each line as one event (as expected). there are only 3 esxi events here though, starting with syslog-ng_timestamp host4 [2011-07-11] 00:09:59....
any ideas on how to take esxi's timestamp as separators withouth changing the syslog-ng config (if possible at all) or using splunk forwarder etc.?
... View more