Solved: Need Line Breaking help on unifier data where even...

cpetterborg · ‎10-24-2014

I have the following data that I'm trying to set up the props.conf file for:

--------
14/10/13 11:18:02 Start process
--------

Oracle Web Cache 11g (11.1.1.6)
Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.

[2014-10-13T11:18:02-06:00] [webcache] [ERROR:32] [WXE-13134] [config] [ecid: ] Oracle Web Cache did not find a  matching CACHE element in webcache.xml for the current host name (l14172), Oracle instance (/opt/oracle/Middleware/Oracle_WT1/instances/instance1) and system component name (webcache1).
[2014-10-13T11:18:02-06:00] [webcache] [ERROR:1] [WXE-09000] [main] [ecid: ] Oracle Web Cache process of ID 23590 exits with code 1 at line 7743 of file loadcfg.c [label: Build 11.1.1.7.0 130113.0721]
[2014-10-13T11:18:02-06:00] [webcache] [NOTIFICATION:1] [WXE-08514] [logging] [ecid: ] Cache server process ID 23590 is shutting down.

--------
14/10/13 11:18:04 Start process
--------

Oracle Web Cache 11g (11.1.1.6)
Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.

[2014-10-13T11:18:04-06:00] [webcache] [ERROR:32] [WXE-13134] [config] [ecid: ] Oracle Web Cache did not find a  matching CACHE element in webcache.xml for the current host name (l14172), Oracle instance (/opt/oracle/Middleware/Oracle_WT1/instances/instance1) and system component name (webcache1).
[2014-10-13T11:18:04-06:00] [webcache] [ERROR:1] [WXE-09000] [main] [ecid: ] Oracle Web Cache process of ID 23592 exits with code 1 at line 7743 of file loadcfg.c [label: Build 11.1.1.7.0 130113.0721]
[2014-10-13T11:18:04-06:00] [webcache] [NOTIFICATION:1] [WXE-08514] [logging] [ecid: ] Cache server process ID 23592 is shutting down.

The line breaking that I want to employ is to break at the "--------" line that has the year following it, OR the lines that begin with a square bracket ( "[" ). I have tried my REGEX in a couple of regex tools and they work in those, but not in Splunk. The config I'm using is:

[ unifier_webcache ]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=^(--------[\n\r]1)|^(\[)
NO_BINARY_CHECK=true

It finds the line breaks that start with the square bracket, but not the ones that start with the hyphens.

Any clues as to how I can get it to do the proper line breaks?

somesoni2 · ‎10-24-2014

Try with this

[unifier_webcache]
BREAK_ONLY_BEFORE = ^(\s*\d{2}/\d{2}|\[\d{4}-\d{2})
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
SEDCMD-removehyphens = s/--------//
SHOULD_LINEMERGE = true

View solution in original post

martin_mueller · ‎10-24-2014

Use this:

BREAK_ONLY_BEFORE=(^\[)|(^--------[\n\r]+\d\d)

The key is to add the plus quantifier, I'm guessing your line breaks are \r\n which doesn't match plain old [\r\n], that's just one character.

somesoni2 · ‎10-24-2014

Try with this

[unifier_webcache]
BREAK_ONLY_BEFORE = ^(\s*\d{2}/\d{2}|\[\d{4}-\d{2})
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
SEDCMD-removehyphens = s/--------//
SHOULD_LINEMERGE = true

cpetterborg · ‎10-28-2014

The SEDCMD was the real trick to fixing the problem. I don't like having the data look different in Splunk from the log, but it doesn't work right otherwise, so it has become my solution.

BTW, the BREAK_ONLY_BEFORE didn't match the timestamp, but I had that anyway.

Thanks so much!

Need Line Breaking help on unifier data where events look different

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms