Last active
December 27, 2015 14:28
-
-
Save rodmcnew/7340374 to your computer and use it in GitHub Desktop.
Prevent Splunk from breaking PHP stack traces into multiple error events with this LINE_BREAKER regular expression.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# props.conf is at /opt/splunk/etc/system/local/props.conf in debian/ubuntu | |
# | |
# Example log entry: | |
#[Wed Nov 06 17:10:30.436963 2013] [:error] [pid 1238] [client 127.0.0.1:51876] PHP Notice: this is a test warning 22 in /var/www/warning.php on line 2 | |
#[Wed Nov 06 17:10:30.437020 2013] [:error] [pid 1238] [client 127.0.0.1:51876] PHP Stack trace: | |
#[Wed Nov 06 17:10:30.437037 2013] [:error] [pid 1238] [client 127.0.0.1:51876] PHP 1. {main}() /var/www/warning.php:0 | |
#[Wed Nov 06 17:10:30.437050 2013] [:error] [pid 1238] [client 127.0.0.1:51876] PHP 2. trigger_error() /var/www/warning.php:2 | |
# | |
# This will prevent Splunk from breaking PHP stack traces into multiple events: | |
SHOULD_LINEMERGE = false | |
LINE_BREAKER = ([\r\n]+)(?!(\[.*\]\s){3}PHP[\s\t]*Stack)(?!(\[.*\]\s){3}PHP[\s\t]*[0-9]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment