line breaking issue, please help with props.com

sim_tcr · ‎10-13-2016

Hello,

In our log, every new event starts with below pattern,

Sunday 2016-10-09 12:02:46,047 [tomcat-http--9]

Currently line breaking is not happening correctlly.
the props.conf on the indexer look like below,

[ecapi_log4j_2]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
MAX_TIMESTAMP_LOOKAHEAD = 26
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?:\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3})
TRUNCATE = 100000

Can some one help to fix it please?

Thanks,
Simon Mandy

lukejadamec · ‎10-13-2016

Have you tried the config on the forwarder? The data may already be parsed by the time it hits the indexer.

twinspop · ‎10-13-2016

[ecapi_log4j_2]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
MAX_TIMESTAMP_LOOKAHEAD = 40
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)[SMTWF][a-z]+\s+\d{4}-\d{2}-\d{2}
TRUNCATE = 100000

sim_tcr · ‎10-14-2016

that did not work either.

jkat54 · ‎10-14-2016

Change truncate = 100000 to a higher number like truncate=250000

gcusello · ‎10-13-2016

I don't know if "Sunday 2016-10-09 12:02:46,047 [tomcat-http--9]" is an example of a full event or the beginning of it.

Every way, you could import events using the following Time format
%A %Y-%m-%d %H:%M:%S,%3N
Splunk recognizes timestamp as event start and truncate before it.

If your example is only the beginning of an event you have to modify only SHOULD_LINEMERGE.

Bye.
Giuseppe

sim_tcr · ‎10-13-2016

"Sunday 2016-10-09 12:02:46,047 [tomcat-http--9]" is the beginning of the event
I tried below and did not work

[ecapi_log4j_2]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
MAX_TIMESTAMP_LOOKAHEAD = 26
**SHOULD_LINEMERGE = true**
LINE_BREAKER = ([\r\n]+)(?:\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3})
TRUNCATE = 200000

gcusello · ‎10-13-2016

Did you tried to modify TIME_FORMAT in %A %Y-%m-%d %H:%M:%S,%3N and don't use LINE_BREAKER and TRUNCATE?

I suggest to you to save an example of your logs in a file and try to ingest it using the web interface.
In this way you can adjust your props and viewing the results at the same time.

Bye.
Giuseppe

diogofgm · ‎10-13-2016

Can you try this?

[ecapi_log4j_2]
TIME_PREFIX = \s
 TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
 MAX_TIMESTAMP_LOOKAHEAD = 23
 SHOULD_LINEMERGE = false
 LINE_BREAKER = ([\r\n]+)([\w]+\s)(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3})
 TRUNCATE = 100000

------------
Hope I was able to help you. If so, some karma would be appreciated.

sim_tcr · ‎10-13-2016

That did not work. still multiple events getting clubbed together as one event in splunk.
These events are so large.
our splunkd.log has below many times,

10-13-2016 06:43:14.649 -0400 WARN  LineBreakingProcessor - Truncating line because limit of 100000 bytes has been exceeded with a line length >= 131072 - data_source="<source masked>", data_host="<host masked>", data_sourcetype="ecapi_log4j_2"

jkat54 · ‎10-13-2016

Change truncate = 100000 to truncate=250000

line breaking issue, please help with props.com

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life