I've written for below props.conf and placed in etc\apps\local.
I'm getting sporadic results and lines are being chunked together.
Any help would be greatly appreciated.
[tomcat:jackrabbit:log]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 23
LINE_BREAKER = ([\r\n]+)(\d{4}-\d{2}-\d{2}_\d{2}:\d{2}:\d{2}.\d{3})
TIME_FORMAT = %Y-%m-%d_%H:%M:%S.%3N
TIME_PREFIX = ^
#BREAK_ONLY_BEFORE = ([\r\n]+)(\d{4}-\d{2}-\d{2}_\d{2}:\d{2}:\d{2}.\d{3})
Logged Events:
2019-11-12_14:06:11.682 [http-nio-8081-exec-3_UpdateFundingRate_null] TRACE: 78420:1: setObject: 1 Inputs - |SEAGH0R5| ownerId, ALR_RID_OWNER, java.lang.String
2019-11-12_14:06:11.682 [http-nio-8081-exec-3_UpdateFundingRate_null] TRACE: 78420:1: setObject: 2 Inputs - |CUS | ownerType, ALR_CDE_OWNER_TYPE, java.lang.String
2019-11-12_14:06:11.698 [http-nio-8081-exec-3_UpdateFundingRate_null] DEBUG: execute sql jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml, Row Count = 0
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] DEBUG: execute trans for xml file = SqlQuery[1,JDBCAdapterSqlXml[78420,jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml,in:2,out:9,count:1,exec:DEFAULT]]
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] TRACE: Prepared 78420:1 {
SELECT
ALR_TSP_REC_CREATE ,
ALR_UID_REC_CREATE ,
ALR_TXT_DETAILS ,
ALR_RID_ALERT ,
ALR_RID_OWNER ,
ALR_CDE_OWNER_TYPE ,
ALR_TXT_SHORT_DESC ,
ALR_TSP_REC_UPDATE ,
ALR_UID_REC_UPDATE
FROM
VLS_ALERT
WHERE
ALR_RID_OWNER = CAST ( ? AS CHAR ( 8 ) ) AND
ALR_CDE_OWNER_TYPE = CAST ( ? AS CHAR ( 5 ) )
/* LIQ-78420.xml */
} com.misys.liq.jsqlaccess.adapter.jdbcadapter.JDBCWrapper
`com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement@6ee94345
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] TRACE: 78420:1: setObject: 1 Inputs - |+3BATO74| ownerId, ALR_RID_OWNER, java.lang.String
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] TRACE: 78420:1: setObject: 2 Inputs - |DEA | ownerType, ALR_CDE_OWNER_TYPE, java.lang.String
2019-11-12_14:06:11.744 [http-nio-8081-exec-7_RunXQuery_null] DEBUG: execute sql jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml, Row Count = 0
2019-11-12_14:06:11.776 [http-nio-8081-exec-9_RunXQuery_null] DEBUG: execute trans for xml file = SqlQuery[1,JDBCAdapterSqlXml[78420,jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml,in:2,out:9,count:1,exec:DEFAULT]]
2019-11-12_14:06:11.776 [http-nio-8081-exec-9_RunXQuery_null] TRACE: Prepared 78420:1 {
Hi,
Please try below configuration on first Splunk Enterprise Instance (IDX or HW).
props.conf
[yourSourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}_\d{2}\:\d{2}\:\d{2}\.\d{3}
TIME_FORMAT=%Y-%m-%d_%H:%M:%S.%3N
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=23
Thanks for your input, but still not working. I updated the props.conf and restarted the UF:
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] TRACE: 35121:1 : Row : {0=[column=OAR_CDE_APRVL_TRAN value=ACADJ], 1=[column=OAR_TXT_APRVR1_RNK value=30], 5=[column=OAR_NUM_LOC_APRVRS value=0], 7=[column=OAR_TSP_REC_CREATE value=2010-07-06 08:20:29.64], 8=[column=OAR_UID_REC_CREATE value=RNOWOTNY], 9=[column=OAR_CDE_CURRENCY value=USD], 10=[column=OAR_AMT_TRN_GLOBAL value=25], 11=[column=OAR_RID_APRVL_RULE value=1O94Z8HG], 12=[column=OAR_NUM_SORT_ORDER value=5], 13=[column=OAR_AMT_POST_TRAN value=0], 14=[column=OAR_IND_PRCSR_APRV value=Y], 15=[column=TEX_IND_VALUE value=N], 16=[column=OAR_AMT_TRAN value=0], 17=[column=OAR_TSP_REC_UPDATE value=2019-11-08 12:00:50.212], 18=[column=OAR_UID_REC_UPDATE value=PANDERSO], 19=[column=OAR_IND_WARN_OVRDN value=N]}
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] TRACE: 35121:1 : Row : {0=[column=OAR_CDE_APRVL_TRAN value=ACADJ], 1=[column=OAR_TXT_APRVR1_RNK value=30], 5=[column=OAR_NUM_LOC_APRVRS value=0], 7=[column=OAR_TSP_REC_CREATE value=2012-02-10 15:27:29.25], 8=[column=OAR_UID_REC_CREATE value=RNOWOTNY], 9=[column=OAR_CDE_CURRENCY value=USD], 10=[column=OAR_AMT_TRN_GLOBAL value=500], 11=[column=OAR_RID_APRVL_RULE value=9-9Z19KO], 12=[column=OAR_NUM_SORT_ORDER value=6], 13=[column=OAR_AMT_POST_TRAN value=0], 14=[column=OAR_IND_PRCSR_APRV value=N], 15=[column=TEX_IND_VALUE value=N], 16=[column=OAR_AMT_TRAN value=0], 17=[column=OAR_TSP_REC_UPDATE value=2019-11-08 12:00:50.212], 18=[column=OAR_UID_REC_UPDATE value=PANDERSO], 19=[column=OAR_IND_WARN_OVRDN value=N]}
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] TRACE: 35121:1 : Row : {0=[column=OAR_CDE_APRVL_TRAN value=ACADJ], 1=[column=OAR_TXT_APRVR1_RNK value=50], 5=[column=OAR_NUM_LOC_APRVRS value=0], 7=[column=OAR_TSP_REC_CREATE value=2012-02-24 15:00:40.01], 8=[column=OAR_UID_REC_CREATE value=RNOWOTNY], 9=[column=OAR_CDE_CURRENCY value=USD], 10=[column=OAR_AMT_TRN_GLOBAL value=0], 11=[column=OAR_RID_APRVL_RULE value=KW9ZR5OR], 12=[column=OAR_NUM_SORT_ORDER value=7], 13=[column=OAR_AMT_POST_TRAN value=0], 14=[column=OAR_IND_PRCSR_APRV value=N], 15=[column=TEX_IND_VALUE value=N], 16=[column=OAR_AMT_TRAN value=0], 17=[column=OAR_TSP_REC_UPDATE value=2019-11-08 12:00:50.212], 18=[column=OAR_UID_REC_UPDATE value=PANDERSO], 19=[column=OAR_IND_WARN_OVRDN value=N]}
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] DEBUG: execute sql jar:file:/C:/LOANIQ/Server/mssxml.jar!/35121.xml, Row Count = 7
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] DEBUG: execute trans for xml file = SqlQuery[1,JDBCAdapterSqlXml[66822,jar:file:/C:/LOANIQ/Server/mssxml.jar!/66822.xml,in:2,out:15,count:1,exec:DEFAULT]]
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: Prepared 66822:1 {
SELECT
TEX_TSP_REC_CREATE ,
TEX_UID_REC_CREATE ,
TEX_RID_TABLE_EXT ,
TEX_RID_OWNER ,
TEX_CDE_OWNER_TYPE ,
TEX_NME_POTEN_COL ,
TEX_TSP_REC_UPDATE ,
TEX_UID_REC_UPDATE ,
TEX_AMT_VALUE ,
TEX_DTE_VALUE ,
TEX_IND_VALUE ,
TEX_INT_VALUE ,
TEX_RTO_VALUE ,
TEX_TXT_VALUE ,
TEX_TSP_VALUE
FROM
VLS_TABLE_EXT ,
VLS_ONL_APRVL_RULE
WHERE
TEX_NME_POTEN_COL = CAST ( ? AS CHAR ( 18 ) ) AND
OAR_CDE_APRVL_TRAN = CAST ( ? AS CHAR ( 5 ) ) AND
OAR_RID_APRVL_RULE = TEX_RID_OWNER
/* LIQ-66822.xml */
} com.misys.liq.jsqlaccess.adapter.jdbcadapter.JDBCWrapper@206d6365 com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement@4a764b82
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1: setObject: 1 Inputs - |OAR_IND_CRTR_APRV | potentialColumnName, TEX_NME_POTEN_COL, java.lang.String
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1: setObject: 2 Inputs - |ACADJ| approvableTransactionCode, OAR_CDE_APRVL_TRAN, java.lang.String
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00023], 3=[column=TEX_RID_OWNER value=1O94Z8HG], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=Y]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00027], 3=[column=TEX_RID_OWNER value=9-9Z19KO], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=N]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00029], 3=[column=TEX_RID_OWNER value=DI9PWXWZ], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=Y]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00084], 3=[column=TEX_RID_OWNER value=J(9KRUL8], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=N]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00139], 3=[column=TEX_RID_OWNER value=KW9ZR5OR], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=N]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00147], 3=[column=TEX_RID_OWNER value=Y*94SS3I], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=Y]}
Configuration which I have provided will not work on UF, you need to configure it on first Splunk Enterprise Instance (Indexer or Heavy Forwarder) from UF.