Forums: SplunkGeneral: Multiline syslog event

Previous Topic: How do I dynamically assign source and/or sourcetype data to a log entry?  |   Next Topic: How do I edit the ssLink argument that is passed to the sendemail.py search script?


Posts 1–1 of 1  |  Post to this topic
1
Burana400's Mugshot posted by: Burana400  |  posts
date: October 2, 2007
permalink

Is there a way to tell splunk to read ahead?

In Syslog I often see multiline events like this:

Oct 1 14:21:12 lns15i-0087 scsi: [ID 107833 kern.warning] WARNING: /pci@9,600000/pci@1/lpfc@4/sd@10,0 (sd448):
Oct 1 14:21:12 lns15i-0087 offline

Breaking events based on the timestamp is not safe for syslog.

But an event with only the text "offline" isn't really informative.... what would you do?

Post to this topic

You must be logged in to post a reply.










close

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink: