Hello,
I have a problem with merging event: I search in forum's post and documentation and try a lot of combinaison but never worked!
- My config: Test envirronement = Splunk v5 on a single machine (then indexer and search head on the same machine)
- My log:
![alt text][1]
-My problem: Splunk take each line for an event
-What i want: Event just for line which have "...New SMTP ICID...", then with the 6 lines above, i will have 2 events:
![alt text][2]
- PROPS.CONF tested:
Try with different LINE_BREAKER (All tested on regex101 with success)
[iron_log]
TIME_PREFIX = ^<\d\d>
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 15
LINE_BREAKER = ^.*New SMTP ICID.*
#LINE_BREAKER = ^<\d\d>.{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s[^\:]+:\s[^\:]+:\sNew SMTP ICID
#LINE_BREAKER = ([\r\n]+)<\d\d>.{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s[^\:]+:\s[^\:]+:\sNew SMTP ICID
SHOULD_LINEMERGE = false
TRUNCATE = 999999
Try with SHOULD_LINEMERGE and MUST_BREAK_AFTER
[iron_log]
MUST_BREAK_AFTER = ^.*New
#MUST_BREAK_AFTER = ^<\d\d>.{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s[^\:]+:\s[^\:]+:\sNew SMTP ICID
BREAK_ONLY_BEFORE_DATE = false
MAX_TIMESTAMP_LOOKAHEAD = 15
TIME_PREFIX = ^<\d\d>
Try without SHOULD_LINEMERGE
[iron_log]
SHOULD_LINEMERGE = false
MUST_BREAK_AFTER = ^.*New
#MUST_BREAK_AFTER = ^<\d\d>.{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s[^\:]+:\s[^\:]+:\sNew SMTP ICID
BREAK_ONLY_BEFORE_DATE = false
MAX_TIMESTAMP_LOOKAHEAD = 15
TIME_PREFIX = ^<\d\d>
I have always one event by line. (i restart splunk for each modification and no error duraing the boot check)
If someone have an idea it will be great!
Thanks by advance
[1]: /storage/temp/76209-log1.png
[2]: /storage/temp/76210-log2.png
↧