![]() The Splunk platform can often recognize the event boundaries, but if event boundary recognition doesn't occur, or happens incorrectly, you can set custom rules in the nf configuration file to establish event boundaries. Many event logs have a strict one-line-per-event format, but others don't. There are additional configuration settings that help you break your incoming data stream into events, such as line-breaking. This is valuable if a significant amount of your data consists of multiline events. Using the LINE_BREAKER setting can produce the results you want in the line breaking phase. Line breaking is relatively efficient for the Splunk platform, while line merging is relatively slow. If you configure the Splunk platform to not perform line merging by setting the SHOULD_LINEMERGE attribute to false, then the platform splits the incoming data into lines according to what the LINE_BREAKER setting determines. You don't normally need to adjust this setting, but in cases where it is necessary, you must configure this setting in the nf configuration file on the forwarder that sends the data to Splunk Cloud Platform. By default, the Splunk platform performs line merging, and the value for SHOULD_LINEMERGE is true.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |