This is not current Splunk documentation.
Splunk 3.4.1 is the latest version. Only use this page with older Splunk 2.0.x.
« Previous  |   Table of Contents   |   Next »

Splunk Data Access Manual (Splunk v2.0)

Splunk Properties

Example: Specify both first and last lines for events

In the example below, we have log entries that are specifically marked with BEGIN and END lines.

-----------------
2006/06/21 17:06:17.848 INFO [ABCReconnectServer] ******** BEGIN ABC Reconnect Server start ****** 
2006/06/21 17:06:17.951 INFO [XmlBeanDefinitionReader] Loading XML bean definitions from class path resource [com/abc/databus/local/app/databus-ctx.xml]
2006/06/21 17:06:18.120 INFO [CollectionFactory] JDK 1.4+ collections available
<...>
2006/06/21 17:07:05.729 INFO [ServicesPublisher] abcAdminService registered: rmi://localhost:1198/eduAdminService
2006/06/21 17:07:05.730 INFO [ABCServerBootMgr] ...rmi services registered.
2006/06/21 17:07:05.730 INFO [ABCReconnectServer] ******** END ABC Reconnect Server start ******

To tell Splunk to use the BEGIN and END lines to demarcate events, we would add the properties shown below.

overlay-props.xml

<properties name="my_custom_sourcetype">
        <attribute name="MUST_NOT_BREAK_AFTER">BEGIN<</attribute>
        <attribute name="MUST_BREAK_AFTER">END</attribute>
</properties>
Attributes

You may need to set one or more of these.

  • MUST_BREAK_AFTER

    The text string that marks the last line of the event.

  • MUST_NOT_BREAK_AFTER

    The text string that marks the first line of the event.

To put XML file configuration changes into effect, restart the server as shown in the Basic Server Operations section of the Splunk Admin Manual.

« Previous  |   Table of Contents   |   Next »

Comments

No comments have been submitted.

close

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink: