<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.5ee3aaf6-6264-4441-b188-6160239f8432, li.5ee3aaf6-6264-4441-b188-6160239f8432, div.5ee3aaf6-6264-4441-b188-6160239f8432
{mso-style-name:5ee3aaf6-6264-4441-b188-6160239f8432;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.il
{mso-style-name:il;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="FR" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi Graham,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Splunk didn’t care with separate lines or not, it’s all about regexp. You can setup your Splunk events by adding any separator you want. It can
be a line feeds or any separator (ReqStart/ReqEnd)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Currently, we’re fetching records (about 10 lines for each record) using Splunk without any issues.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">However, I will suggest you to use varnishncsa instead of varnishlog because the main purpose of ncsa is to write one line for each requests. You
can setup the “-F “ option to add more HTTP headers if needed.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#666666">Jonathan Huot<o:p></o:p></span></b></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#666666">Phone: +33(0)1.47.62.78.65<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> varnish-misc-bounces@varnish-cache.org [mailto:varnish-misc-bounces@varnish-cache.org]
<b>On Behalf Of </b>Graham Lyons<br>
<b>Sent:</b> jeudi 25 avril 2013 12:16<br>
<b>To:</b> varnish-misc@varnish-cache.org<br>
<b>Subject:</b> Varnishlog and Splunk<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Hello,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Has anyone had any experience of putting output from varnishlog into Splunk? My experience of Splunk so far has involved access log type sources with events on
separate lines, which is obviously quite different to what comes out of varnishlog.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">If there's any prior art it would interesting to hear.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Graham.<o:p></o:p></span></p>
</div>
<p class="5ee3aaf6-6264-4441-b188-6160239f8432"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"> <o:p></o:p></span></p>
<p class="5ee3aaf6-6264-4441-b188-6160239f8432"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">----------------------------<br>
</span><span style="color:black"><br>
<a href="http://www.bbc.co.uk" target="_blank">http://www.<span class="il">bbc</span>.<span class="il">co</span>.<span class="il">uk</span></a><br>
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the
<span class="il">BBC</span> unless specifically stated.<br>
If you have received it in error, please delete it from your system.<br>
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.<br>
Please note that the <span class="il">BBC</span> monitors e-mails sent or received.<br>
Further communication will signify your consent to this.</span><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="5ee3aaf6-6264-4441-b188-6160239f8432"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">---------------------<o:p></o:p></span></p>
</div>
<br>
This email was sent to you by Thomson Reuters, the global news and information company. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Thomson Reuters.</body>
</html>