Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- multiline event not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multiline event not working
mfscully
Explorer
05-15-2014
02:17 PM
I am trying to split the following log into two events based on the line feed in between the events:
15-May-2014 11:49:12.563 (2ba825c174c0) LV3THandlerUtil::transactionHandlerDispatch: Handle Message Start ==>
15-May-2014 11:49:12.564 (2ba825c174c0) LV3THandlerUtil::transactionHandlerDispatch: Call Sequence:[Scheduled
* 0x683a2e0514bc426aa3d85a3a4c27b76a->TCAutoStageEquipment[05/15/14 11:49:09:EquipId: [W29M6P5400] Workstation:[630PRB_NAND
15-May-2014 11:49:12.565 (2ba825c174c0) LV4TCAutoStageEquipment::LotList: Entering...
15-May-2014 11:49:12.566 (2ba825c174c0) LV3Timer::Cancel: Canceled Timer Request for TIMER_malamhstes
15-May-2014 11:49:12.570 (2ba825c174c0) LV3TCAutoStageEquipment::LotList: W29M6P5400: No lots to stage
15-May-2014 11:49:12.571 (2ba825c174c0) LV3TCMIPCHandler::LogBusinessEvent: BECode:[ASAE21], BEShortDesc:[NothingToStage], BEText:[W29M6P5400: Nothing to stage - 0 lot lists in dispatch list]
15-May-2014 11:49:12.576 (2ba825c174c0) LV4TCAutoStageEquipment::LotList: Exiting...
0x019ffbf889e849a0b87f7dc25d396464->TCAutoStageEquipment[05/15/14 11:49:09:EquipId: [RMAC6M3700] Workstation:[630RDA_MACRO] ScheduleMethod:[RTD] StageToTheMax:[-empty-] FailedLots:[{}] StagedLots:[{}] BadRecipes:[{}] ClaimResource:[-empty-] State:[Running] ExpectedMessages:[{LotList,LotListTimeout}]]
15-May-2014 11:49:12.588 (2ba825c174c0) LV3
15-May-2014 11:49:12.589 (2ba825c174c0) LV3
I tried the following in my props.conf and it does not work:
[source::.../trace/AMHSAutoStageSrv/.../AutoStageSrv-TransactionTrace*.trc]
sourcetype = autostagesrv_transactiontrace
TRUNCATE = 0
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = False
LINE_BREAKER = ^\n
BREAK_ONLY_BEFORE = Handle\sMessage\sStart
MAX_EVENTS = 500
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-15-2014
02:34 PM
Can you give this a shot?
In your props.conf
BREAK_ONLY_BEFORE=Handle\sMessage\sStart
MAX_TIMESTAMP_LOOKAHEAD=150
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mfscully
Explorer
05-15-2014
03:08 PM
using those settings it parses the message as such:
* 0x261fce339fb44db2be02f10f4228ab29->TCQualStartRun[05/15/14 17:32:36:State:[Running] ExpectedMessages:[{QualStartRun}]]
15-May-2014 17:32:36.431 (2ab9fefe44c0) LV4TCQualStartRun::QualStartRun: Entering...
15-May-2014 17:32:36.441 (2ab9fefe44c0) LV4TCQualStartRun::QualStartRun: Exiting...
Are the asterisks in the log message causing issues with splunk?
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
