I have following logformat:
-- New Entry -------------------------
08:03:10 01.04.15 ncjhdnbchjbdc
08:03:10 jnkjsdncksjdnc
xd1: ndkjewnckjdwcndw
xd2: jncxkjdsnkjcndsqckjnc c cw djkcdnc cnd kj nc
08:03:10 dscsdcdsc
-- New Entry -------------------------
08:03:10 01.04.15 ncjhdnbchjbdc
08:03:10 jnkjsdncksjdnc
xd1: ndkjewnckjdwcndw
xd2: jncxkjdsnkjcndsqckjnc c cw djkcdnc cnd kj nc
08:03:10 dscsdcdsc
I want the complete entry in one line so i use the multiline extension:
<Extension multiline>
Module xm_multiline
HeaderLine /^--/
EndLine " "
</Extension>
<Input in>
Module im_file
File "input.txt"
SavePos TRUE
ReadFromLast TRUE
InputType multiline
Exec if $raw_event !~ /^--/ drop();
Exec $raw_event = replace($raw_event, "\r\n", ";");
</Input>
<Output out>
Module om_file
File "output.txt"
</Output>
<Route 1>
Path in => out
</Route>
The multiline extension works as expected for existing entries in the inputfile after start of nxlog. New entries are not correctly written in the output. Only the header will be written in the output. Has someone an idea of what iam doing wrong?
UPDATE: The PollInterval of the im_file seems to be the problem. I red following in the documentation of nxlog (section xm_multiline):
Note Until there is a new header read, the previous message is stored in the buffers because the module does not know where the message ends. The im_file module will forcibly flush this buffer after the configured PollInterval timeout. If this behaviour is unacceptable, consider using some kind of an encapsulation method (JSON, XML, RFC5425, etc) or use an end marker with EndLine if possible.
So, i use an end marker but it doesn't work. I tried different values for EndLine (regex: /^\s*$/ String: " ")
答案 0 :(得分:0)
这条线需要修复。
Exec if $raw_event !~ /^--/ drop()
应该是
Exec if $raw_event =~ /^--/ drop()