Hi everyone! I'm looking to use the new ListenSyslog processor in a proof-of-concept [project but I encounter a problem that I can find a suitable solution (yet!). I'm receiving logs from multiple Java-based server using a logback/log4j SyslogAppender. The messages are received successfully but when a stack trace happens, each lines are broken into single FlowFile.
I'm trying to achieve something like the following: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Indexmulti-lineevents I tried: - Increasing the "Max Batch Size", but I end up merging lines that should not be merge and there's no way to know then length of the stack trace... - Use MergeContent using the host as "Correlation Attribute Name", but as before I merge lines that should not be merge - Use MergeContent followed by SplitContent, that might work but the SplitContent is pretty restrictive and I can't find a "Byte Sequence" that are different from stack trace. Even if I find a magic "Byte Sequence" for my last try (MergeContent + SplitContent), I would most probably lose a part of the stacktrace as the MergeContent is limited by the "Max Batch Size" The only solution that I see is to modify the ListenSyslog to add some similar parameter as the Splunk documentation explains and use that rather than a fixed "Max Batch Size". Am I missing a another option? Would that be a suitable feature? (maybe I should ask that question in the dev mailing list) Best regards!
