'Splunk HEC - Disable multiline event splitting due to timestamp
I have a multi-line event that has timestamps on different lines as shown in the below example
[2022-02-08 08:30:23:776] [INFO] [com.example.monitoring.ServiceMonitor] Status report for services
Service 1 - Available
Service 2 - Unavailable since 2022-02-08T07:00:00 UTC
Service 3 - Available
When the log is sent to an HEC, the lines are split into multiple events as highlighted in the Splunk data pipeline's parsing phase. Due to the presence of a timestamp on line 3, it creates 2 different events.
When searching in Splunk, I see the two events as shown below while they are supposed to be part of a single event.
Event 1
[2022-02-08 08:30:23:776] [INFO] [com.example.monitoring.ServiceMonitor] Status report for services
Service 1 - Available
Event 2
Service 2 - Unavailable since 2022-02-08T07:00:00 UTC
Service 3 - Available
I can solve the issue by setting DATETIME_CONFIG to NONE in props.conf but that creates another issue, Splunk will stop recognizing timestamps in the event.
Is it possible to achieve the same result but without disabling the above property?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|