Hello,
I just getting into Splunk and wondering if I can set the forwarder (maybe heavy forwarder) to merge different lines into one event.
The lines are not necessarily one after the other. I want to merge them by some unique Id.
Is it possible? Maybe not in the forwarder?
If it is not possible, What is the recommended way to handle this?
Thanks!
↧