- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why JMS Messaging Modular Input removes carriage r...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why JMS Messaging Modular Input removes carriage return (0x0d) character during indexing?
I'm having hard time dealing with carriage return in Splunk Enterprise!
Indexing a file with CR+LF at the end of each line (on Windows) using Add Data wizard in the main view works perfectly when using the "LINE_BREAKER=((*FAIL))" control. But when I use the JMS Messaging Modular Input with that control and the same props.conf stanza, it does not work. Indexing messages using this modular input removes the CR character at the end of each line. LF character is not removed. The event with multiple lines looks nice on the Search app but the CR is missing if I look at the "0" file in the "rawdata" folder.
I do not have the option "Strip newline characters from message body" selected so the CR and LF should be indexed.
How can I fix this ?
Basically I'm trying to import data in to Splunk "as is" and eventually export the event also "as is". Exporting also removes the CR character, by the way...
Thanks for any help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Post your inputs.conf stanza for your JMS input and any props.conf and transforms.conf stanzas you are applying.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm importing messages that are in xml format and I'm extracting 25 fields during indexing. I verified from the messaging system that it is sending the CR character. Everything else seems to work fine. I managed to get rid of the jms message header with the fresh version of the JMS Messaging Modular Input (v.1.5.1). That was good!
inputs.conf (in /apps/launcher/local):
[jms://queue/:QSPLUNKIN_Dest]
browse_frequency = 30
browse_mode = all
browse_queue_only = 0
durable = 0
hec_batch_mode = 0
hec_https = 0
index = jms
index_message_header = 0
index_message_properties = 0
init_mode = jndi
jms_connection_factory_name = SplunkConnectionFactory
jndi_initialcontext_factory = com.sun.jndi.fscontext.RefFSContextFactory
jndi_provider_url = file:/C:/MQJNDI
output_type = stdout
sourcetype = ME120_st_spec
strip_newlines = 0
disabled = 0
message_handler_impl = com.splunk.modinput.jms.custom.handler.BodyOnlyMessageHandler
props.conf (in apps/jms_ta/local):
[ME120_st_spec]
NO_BINARY_CHECK = true
category = Custom
description = My comment here
pulldown_type = 1
disabled = false
MAX_TIMESTAMP_LOOKAHEAD = 19
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
TIME_PREFIX = < MonitoringTime > ((<-- had to add spaces here to show the text))
MAX_EVENTS = 50000
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^ < ? xml version ((<-- also had to add spaces here to show the text))
TRUNCATE = 60000
TRANSFORMS-me120 = Field1,Field2,Field3,Field4,...,Field24,Field25
LINE_BREAKER = ((*FAIL))
transforms.conf (in apps/jms_ta/local):
[Field1]
REGEX = ((?<=Field1>).*?(?=< / Field1>)) ((<-- again more spaces here to show text))
FORMAT = Field1::$1
WRITE_META = true
[Field2]
REGEX = ((?<=Field2>).*?(?=< / Field2>)) ((<-- and again more spaces here to show text))
FORMAT = Field2::$1
WRITE_META = true
...[Field25]...
Thanks for your help!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
