[tomcat]
EXTRACT = \/u01\/logs\-(?\w+)\/.* in source
### Adding the below to BREAK EVENTS only at timestamp and TRUNCATING issue
BREAK_ONLY_BEFORE = (\d+[- :,-w]+)
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE = 0
We are facing an issue with multiple logs in a single event for only tomcat as the sourcetype,
May I know the reason for it.
we also have
SHOULD_LINEMERGE=true for other sourcetype should I include SHOULD_LINEMERGE=false for the tomcat.
Any help will be appreciated.
↧