Splunk is splitting each line into an event instead of grouping the whole block as one event. I've tried a few fixes for this host in C:\Program Files\Splunk\etc\system\local\props.conf. (I removed the actual IP below and replaced it with "hostname")
My ESXi host's hostd logs on the host look like below:
----------
2016-08-08T19:16:29.145Z [3C481B70 error 'SoapAdapter']
--> Required parameter querySpec is missing
-->
--> while parsing call information for method QueryPerf
--> at line 1, column 285
-->
--> while parsing SOAP body
--> at line 1, column 271
-->
--> while parsing SOAP envelope
--> at line 1, column 38
-->
--> while parsing HTTP request for method queryStats
--> on object of type vim.PerformanceManager
--> at line 1, column 0
----------
My props.conf additions look like the below:
**This did nothing - events came in the same**
[host::hostname]
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = true
**No difference once again**
[host::hostname]
TIME_PREFIX = (\d{4}\-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z)
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = true
**This one removed the dates, but still broke it out on each line**
[host::hostname]
LINE_BREAKER = (\d{4}\-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z)
Any ideas what I can do next? It seems like Splunk is finding a timestamp on each line, but I don't see where it's getting that.
Thanks!
↧