Reputation: 21
Unexpected ellipsis in syslog or splunk message
I am logging data to Splunk via log4j and a SyslogAppender. Sometimes the information shows up in Splunk with ellipsis (...) instead of the actual text with some odd spacing. When I log the same event to a RollingFileAppender, it logs normally. Would anyone know why this is happening and how to resolve it? Thank you!
Example:
InboundTxnDate: 20130926 16:53:14:475
Out...
...boundTxnTypeCode: UNK
Upvotes: 2
Views: 511
Answers (2)
Reputation: 15995
Would anyone know why this is happening
Ondřej Benkovský answered that very well and I have nothing to add.
how to resolve it?
If the split lines are part of the same event in Splunk, you can join them by editing $SPLUNK_HOME/etc/system/local/props.conf and adding a stanza like this:
[<spec>]
SEDCMD-join_log4j_syslog_lines=s/\.\.\.[\r\n]+\.\.\.//g
That will join the lines at index time and remove the ellipses.
Note that you'll need to change <spec> as detailed in the document for props.conf.
You can use the regex search command to make sure it's working:
| regex "\.\.\.[\r\n]+\.\.\."
Upvotes: 0
Reputation: 31
This is how syslog appenders work, they split log message, if it is bigger than 1019 bytes. When log message is split, this message will end with ellipsis and next message starts with ellipsis. Limit of message (1019 bytes) is hardcoded and cannot be changed by no configuration in log4j. Look at RFC 3164 and see source code of SyslogAppender
Upvotes: 1
Related Questions
- incorrect log feed in Splunk
- Unable to send the logs to Splunk Enterprise local using log4j2
- Log messages in Splunk are shown as ASCII numbers
- logs to splunk are getting truncated
- Splunk AWS ALB logs not properly parsing
- Triple backslashes in splunk
- splunk is reporting each line of stacktrace as a separate event
- log4j adds "sg" to each logged line
- Splunk Custom Log format Parsing
- log4j syslogappender stack trace output not on the same line