multiline logs in one block

Follow

Qiong Liu

• February 25, 2020 19:20

we occasionally got multiple line of logs in one block(shown below). We did not change the default setting to use "\n" as boundary detection as mentioned in this doc:

https://help.sumologic.com/03Send-Data/Sources/04Reference-Information-for-Sources/Collecting-Multiline-Logs

 

But the problem still happens. Can anyone help to fix this?

 

0

• 

  Kevin Keech

  • February 28, 2020 17:43

  If your logs are all single-line logs you will want to disable the multi-line detection within your Source configuration. When multi-line is disabled Sumo Logic will treat each line as a single message. The multi-line detection should only be enabled where you know your log messages may include multi-line messages. From the description provided it sounds like this will address the issue you are seeing. 
  
  Otherwise, when entering a multi-line detection pattern you need to make sure the regular expression supplied matches the entire first line of a new message. So using just "\n" may not provide a match. You would need to add an expression that matches all the text up to the newline.

  Ex.

  .*\n 

  0

  Comment actions Permalink

Please sign in to leave a comment.