Customer is ingesting a custom log file. with multi-line events using a Splunk Universal Forwarder which sends data to a Splunk Heavy Forwarder.
The events should contain 20 lines, starting with an event seperator (a series or dashes), a new line, a date, a new line, data payload, followed by a new line. A new event is written once every minute.
When the event is indexed it is seen as 3 seperate events, the data payload, the date and finally the event sepetator.
The customer had tried every combination of LINE_BREAKER, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE, BREAK_ONLY_BEFORE_DATE, MUST_NOT_BREAK_AFTER, TRUNCATE, MAX_EVENTS etc in props.conf on the Heavy Forwarder, but the event was always broken incorrectly on the heavy forwarder.
↧