[tomcat]
EXTRACT = \/u01\/logs-(?\w+)\/.* in source
BREAK_ONLY_BEFORE = (\d+[- :,-w]+)
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE = 0
We are facing an issue with multiple logs in a single event for only tomcat as the sourcetype,
May I know the reason for it.
we also have
SHOULD_LINEMERGE=true for other sourcetype should I include SHOULD_LINEMERGE=false for the tomcat.
Any help will be appreciated.
You should always avoid the BREAK_*
settings and use only SHOULD_LINEMERGE=false
and LINE_BREAKER = Your RegEx Here
.
HI duggp007,
surely you have to review your parsing.
To do this I suggest to take an extract of your logs with all the kind of logs in the same sourcetype (e.g. tomcat) in a text file.
Then ingest it for test using the guided procedure in web interface [Settings -- Add Data] so you can find the correct options yo use for thst sourcetype.
Probably is uncorrect the TIME_PREFIX
and/or the TIME_FORMAT
, so, sometimes, Splunk cannot recognize the start of an event and doesn't correctly break it.
Bye.
Giuseppe
Your line breaking settings in props.conf are wrong. We'll need to see some sample data to give the best settings.