ALB/ELB multiple log lines are being concatenated as single line. What could be causing this and how to resolve it?

Problem:

The ALB/ELB log source has a strange behavior where it treats several log records as a single message. What could be done to resolve it?

Cause:

The default for sources in Sumo Logic is to be enabled for multi-line detection and to automatically infer the message boundary. 

This could happen when our multi-line detection parser is confused and is using the "h2" lines as the message boundary because of which the lines starting with "https" are getting concatenated.

Resolution:

There are two possible solutions to resolve this issue which are listed as below:

1. In the Manage Data ->  Collection tab, you could edit the corresponding source you could uncheck "Detect messages spanning multiple lines" and update the Source.

That should fix it.

OR

2. You could keep multi-line detection and specify a boundary regex expression that would allow for both line types:

The regex expression: 

^(h2|https).*

It is highly recommended to use option 1 to fix this issue.