- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Help with LINE_BREAKING
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hI,
I have a file that appears to break correctly in the data preview, but after I index it, it's not appearing correctly. (All on a stand-alone server).
The file is this:
[INFO] Root WebApplicationContext: initialization started
[INFO] Refreshing Root WebApplicationContext: startup date [Fri Oct 16 10:49:27 EDT 2015]; root of context hierarchy
[INFO] Loading XML bean definitions from ServletContext resource [/WEB-INF/frf-modeler-servlet.xml]
[INFO] Loading XML bean definitions from class path resource [application-context.xml]
[INFO] Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@6d50ff26: defining beans [modelerEngineController,org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,exportController,layoutServiceController,viewNameTranslator,org.springframework.web.servlet.view.BeanNameViewResolver#0,stringHttpMessageConverter,formHttpMessageConverter,jsonMessageConverter,byteArrayMessageConverter,jsonpHttpMessageConverter,multipartResolver,exceptionResolver,jsonView,com.fmrco.asts.frf.rest.spring.FRFAnnotationMethodHandlerAdapter#0,filterService,documentFormatter,configFilter,propertyConfigurer,gridExportUtil,mvcContentNegotiationManager,org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping#0,org.springframework.format.support.FormattingConversionServiceFactoryBean#0,org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter#0,org.springframework.web.servlet.handler.MappedInterceptor#0,org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver#0,org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver#0,org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver#0,org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping,org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter,org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter,jsonProcessService,treeCreationService,zipService,pomHandlerService,webXmlHandlerService,archiveTreeService,generalIOStreamProcessor,componentWithMetaDataBuilder,pomHandlerServiceImplHelper,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor]; root of factory hierarchy
[splunk@vc2cmmka023053n fpcms]$ head -10 catalina.out
[INFO] Root WebApplicationContext: initialization started
[INFO] Refreshing Root WebApplicationContext: startup date [Fri Oct 16 10:49:27 EDT 2015]; root of context hierarchy
[INFO] Loading XML bean definitions from ServletContext resource [/WEB-INF/frf-modeler-servlet.xml]
My props is:
set by detected source type
ANNOTATE_PUNCT=false
DATETIME_CONFIG = CURRENT
KV_MODE = auto
LINE_BREAKER = ([\r\n]+)([ERROR]|[INFO]|[DEBUG])
MAX_TIMESTAMP_LOOKAHEAD=150
SHOULD_LINEMERGE=false
pulldown_type=1
When I preview it, it looks fine, but once I index it, it breaks very strangely. Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The events in the example are correct? I see that not all of them have time stamp.
You sould identifie when start and ends a event and what timestamp do you want to setup.
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this props.conf configuration
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
LINE_BREAKER=([\r\n]+)(\[ERROR\]|\[INFO\]|\[DEBUG\])\s+
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tweak: LINE_BREAKER=([\r\n]+)\[(ERROR|INFO|DEBUG)\]\s+
I think that does the same but might be easier to read.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They don't have a timestamp, so I'm using the DATETIME_CONFIG statement and I want it to break on [INFO], [ERROR], [DEBUG] at the beginning of any line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The events in the example are correct? I see that not all of them have time stamp.
You sould identifie when start and ends a event and what timestamp do you want to setup.
Regards,
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
