Getting Data In

DBX: when is the line "dbx-end-of-event" printed?

micm
Explorer

I have a database input configured:

[dbmon-tail://spa/dwf_rdfdirector_r]
host = spa 
index = emc 
interval = auto
output.format = mkv 
output.timestamp = 1 
output.timestamp.column = createdate
output.timestamp.format = yyyy-MM-dd HH:mm:ss
output.timestamp.parse.format = yyyy-MM-dd HH:mm:ss
sourcetype = dwf_rdfdirector_r
table = dwf_rdfdirector_r
tail.rising.column = createdate

1) I suspect it is intentional that when the query is run and no new results are received an event like

---91827349873-dbx-end-of-event---

is indexed. Is there a config setting to prevent that?

2) Most of the other events that have new data have no dbx-end-of-event line at all and miss the last 15 columns as well. Sometimes I get the second part of the table with only the last 15 columns and the dbx-end-of-event line but without the first 25 and the timestamp. But that happens in less than 1/3 of the events. Any idea what is happening there?

The searches "Recent DB Connect errors" and "Recent Java Bridge errors" have no entries.

0 Karma
1 Solution

ziegfried
Influencer

Those lines are intended for marking the end of an event in order to force correct line breaking for multiline events. Unfortunately you have to specify those settings manually at the moment if you're using a custom sourcetype. The following props.conf stanza should apply the correct settings for your case:

[dwf_rdfdirector_r]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])

View solution in original post

spandal
New Member

I have a database input configured:
source="dbmon-tail://Sample_DB/sample1"
i/p type: Tail
Rising column: modified_date
Index: default
O/p format: Multi line key value format
o/p timestamp : Un checked
Interval : auto

and placed below lines in 'props.conf' file at below path "Splunk/etc/apps/search/local/" and also in "Splunk/etc/apps/search/default/"

[sample1]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])

but still getting o/p as below format""

modified_date=2013-02-16 02:32:13
track=US
cause=Task
closed_date=2013/02/16
area=TC Request
---91827349873-dbx-end-of-event---
entry_id=1234
assigned_id=ABCD
status=Closed

and also unable to retrieve 'create_date' column which is existing in DB

0 Karma

ziegfried
Influencer

Those lines are intended for marking the end of an event in order to force correct line breaking for multiline events. Unfortunately you have to specify those settings manually at the moment if you're using a custom sourcetype. The following props.conf stanza should apply the correct settings for your case:

[dwf_rdfdirector_r]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...