I am trying to index logs from my Sharepoint farm into Splunk. I have managed to get Splunk to correctly deal with multiline events
The difficulty I have is in correctly dealing with the fields within the events that are created when the Sharepoint Message field has a larger number of characters.
As a simplified example, I might see lines like this:
Sharepoint uses the * after the timestamp to indicate a multiline event, duplicates all fields other than the Message field across all the lines in the event, and then splits the Message field across all the lines. In reality it further indicates the multiline event by using ellipses like so
I'd like to get Splunk to index the example above as a single event like:
...so (now I'm doing it! :D ) that I could search for things like
Any suggestions? I'm not sure what would be the best approach here.
UPDATE: Just realised I hadn't explained what currently seems to happen with the fields set in my props.conf - basically the fields get read correctly out of the first line (and for all single line events) but then Splunk hits the second line and lumps it and all the rest of the event into an undefined field so it can't be searched. So what I'd get from the example above is an event that contains:
and the raw event wound contain the entire text from all lines. So this is the behaviour I'm trying to avoid.
I would consider using SEDCMD, something like:
might do it.
answered 15 Aug '11, 10:18