Getting Data In

How to edit my props.conf to forward Matlab Crash Dump?

sboland687
Engager

I'm getting an intermittent issue that I suspect is related to file IO, not Matlab. I want to forward all the crashdumps so that maybe I can identify a pattern. My problem is that splunk is truncating the log at line 12 because of the second timestamp included in the Operating system version. I haven't had luck with the suggestions on the forums with settings in a props.conf file. Can anyone suggest a configuration that will work here?

example log (not mine, but always follows this form):

------------------------------------------------------------------------
       Segmentation violation detected at Wed Mar 23 15:52:27 2016
------------------------------------------------------------------------
Configuration:
  Crash Decoding     : Disabled
  Current Visual     : None
  Default Encoding   : UTF-8
  GNU C Library      : 2.21 stable
  MATLAB Architecture: glnxa64
  MATLAB Root        : /usr/local/MATLAB/R2014b
  MATLAB Version     : 8.4.0.150421 (R2014b)
  Operating System   : Linux 4.2.0-34-generic #39-Ubuntu SMP Thu Mar 10 22:13:01 UTC 2016 x86_64
  Processor ID       : x86 Family 6 Model 15 Stepping 11, GenuineIntel
  Virtual Machine    : Java 1.7.0_11-b21 with Oracle Corporation Java HotSpot(TM) 64-Bit Server VM mixed mode
  Window System      : No active display
Fault Count: 1
Abnormal termination:
Segmentation violation
Register State (from fault):
  RAX = 0000000000000000  RBX = 00007fdb91e76808
  RCX = 0000000000000000  RDX = 0000000000000003
  RSP = 00007fdc29c88ae0  RBP = 00007fdc29c88c00
  RSI = 0000000000000000  RDI = 00007fdb91e729e8
     R8 = 0000000000000018   R9 = 0000000000000000
    R10 = 00007fdb91e72000  R11 = 00007fdb91e77450
    R12 = 00007fdb92092f80  R13 = 0000000000000006
    R14 = 00007fdb91e73cc0  R15 = 00007fdbb84c5bc0
    RIP = 00007fdc40a3190a  EFL = 0000000000010206
     CS = 0033   FS = 0000   GS = 0000
Stack Trace (from fault):
[  0] 0x00007fdc40a3190a                        /lib64/ld-linux-x86-64.so.2+00051466
[  1] 0x00007fdc40a3a501                        /lib64/ld-linux-x86-64.so.2+00087297
[  2] 0x00007fdc40a354b4                        /lib64/ld-linux-x86-64.so.2+00066740
[  3] 0x00007fdc40a399f3                        /lib64/ld-linux-x86-64.so.2+00084467
[  4] 0x00007fdc3d2b6fc9                   /lib/x86_64-linux-gnu/libdl.so.2+00004041
[  5] 0x00007fdc40a354b4                        /lib64/ld-linux-x86-64.so.2+00066740
[  6] 0x00007fdc3d2b762d                   /lib/x86_64-linux-gnu/libdl.so.2+00005677
Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

props.conf on Indexer/Heavy forwarder

[ <SOURCETYPE NAME> ]
SHOULD_LINEMERGE=false
disabled=false
LINE_BREAKER=(-+[\r\n]+)(?=\s+\S+.+\w+\s\d{2}\s\d{2}:\d{2}:\d{2} \d{4})
TIME_FORMAT=%b %d %H:%M:%S %Y
TIME_PREFIX=at\s+\w+\s
MAX_TIMESTAMP_LOOKAHEAD=20

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

props.conf on Indexer/Heavy forwarder

[ <SOURCETYPE NAME> ]
SHOULD_LINEMERGE=false
disabled=false
LINE_BREAKER=(-+[\r\n]+)(?=\s+\S+.+\w+\s\d{2}\s\d{2}:\d{2}:\d{2} \d{4})
TIME_FORMAT=%b %d %H:%M:%S %Y
TIME_PREFIX=at\s+\w+\s
MAX_TIMESTAMP_LOOKAHEAD=20
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...