I have a database input configured:
[dbmon-tail://spa/dwf_rdfdirector_r]
host = spa
index = emc
interval = auto
output.format = mkv
output.timestamp = 1
output.timestamp.column = createdate
output.timestamp.format = yyyy-MM-dd HH:mm:ss
output.timestamp.parse.format = yyyy-MM-dd HH:mm:ss
sourcetype = dwf_rdfdirector_r
table = dwf_rdfdirector_r
tail.rising.column = createdate
1) I suspect it is intentional that when the query is run and no new results are received an event like
---91827349873-dbx-end-of-event---
is indexed. Is there a config setting to prevent that?
2) Most of the other events that have new data have no dbx-end-of-event line at all and miss the last 15 columns as well. Sometimes I get the second part of the table with only the last 15 columns and the dbx-end-of-event line but without the first 25 and the timestamp. But that happens in less than 1/3 of the events. Any idea what is happening there?
The searches "Recent DB Connect errors" and "Recent Java Bridge errors" have no entries.
Those lines are intended for marking the end of an event in order to force correct line breaking for multiline events. Unfortunately you have to specify those settings manually at the moment if you're using a custom sourcetype. The following props.conf stanza should apply the correct settings for your case:
[dwf_rdfdirector_r]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])
I have a database input configured:
source="dbmon-tail://Sample_DB/sample1"
i/p type: Tail
Rising column: modified_date
Index: default
O/p format: Multi line key value format
o/p timestamp : Un checked
Interval : auto
and placed below lines in 'props.conf' file at below path "Splunk/etc/apps/search/local/" and also in "Splunk/etc/apps/search/default/"
[sample1]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])
but still getting o/p as below format""
modified_date=2013-02-16 02:32:13
track=US
cause=Task
closed_date=2013/02/16
area=TC Request
---91827349873-dbx-end-of-event---
entry_id=1234
assigned_id=ABCD
status=Closed
and also unable to retrieve 'create_date' column which is existing in DB
Those lines are intended for marking the end of an event in order to force correct line breaking for multiline events. Unfortunately you have to specify those settings manually at the moment if you're using a custom sourcetype. The following props.conf stanza should apply the correct settings for your case:
[dwf_rdfdirector_r]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])