Hi All,
I am trying to extract fields from multiline events which were injected from our server to Splunk.
We have our events as below where each event starts with time stamp and all the below events are logged as a single event. When we tried to extract fields, we were thrown with below error.
The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.
But I need them to get logged as multiple events where the actual event message should start with time stamp first.
17:31:32.753 DEBUG [DatabasePoll] Database Poller-0
nextStateEvent = 1:EVENT_BEGIN_POLL
17:31:32.753 DEBUG [TraceLog] Database Poller-0
Polling database ... Database Poller-0
17:31:32.754 DEBUG [DatabasePoll] DatabasePoll
nextStateEvent = 2:EVENT_BEGIN_LOGIN_TIMER
17:31:32.754 DEBUG [TraceLog] Database Poller-0
Performing database poll ... timeout seconds=5
17:31:32.755 DEBUG [DatabasePoll] DatabasePoll
nextStateEvent = 3:EVENT_BEGIN_QUERY_TIMER
17:31:32.755 DEBUG [TraceLog] Database Poller-0
Database poll ... completed
17:31:32.755 DEBUG [DatabasePoll] DatabasePoll
nextStateEvent = 0:EVENT_READ_NEXT_STATE_EVENT
17:31:32.755 DEBUG [LocalController] Database Poller-0
Process active [Failover_Controller] [started] monitor running is true
I expect the data should be logged as below:
Event 1:
17:31:32.753 DEBUG [DatabasePoll] Database Poller-0
nextStateEvent = 1:EVENT_BEGIN_POLL
Event 2:
17:31:32.753 DEBUG [TraceLog] Database Poller-0
Polling database ... Database Poller-0
Event 3:
17:31:32.754 DEBUG [DatabasePoll] DatabasePoll
nextStateEvent = 2:EVENT_BEGIN_LOGIN_TIMER
Editing the props.conf with below fields did not help.
[Source_type]
BREAK_ONLY_BEFORE_DATE = true
TIME_FORMAT = %b %d %T
SHOULD_LINEMERGE = false
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 20
↧