Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find events that are not splitting correctly

freern
New Member
‎02-06-2020 09:10 AM

I'm trying to determine which of my companies application logs aren't being split correctly but I'm having a hard time getting a regex search that only returns results that fit the scenario.

The problem part of the raw log is [SKY_LOG_END]\n[SKY_LOG_START]

Any help would be appreciated.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-07-2020 02:33 AM

Will the linecount field help here? In verbose mode you should be able to search for linecount>1 and see all the events with greater than one line.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-07-2020 02:34 AM

If you have access to _internal index, there is a component=linebreak* you can search for too.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2020 10:38 AM

The "Heath Check" dashboard in the Monitoring Console will report on possible event breaking problems.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

freern
New Member
‎02-07-2020 01:42 AM

Thanks for your response. I don't have access to the monitoring console as that side of things is managed by our system administrators. Is there any way to find this information as part of a splunk search using the information i've given?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2020 10:13 AM

This is the MC search for event processing errors.

index=_internal splunk_server=local search_group=dmc_group_indexer earliest=-60m (source=*splunkd.log* (component=AggregatorMiningProcessor OR component= LineBreakingProcessor OR component=DateParserVerbose) (log_level=WARN OR log_level=ERROR)) OR (source=*metrics.log* group=thruput name=index_thruput) 
| stats sum(eval(round(ev,0))) AS event_count count(eval(component=="AggregatorMiningProcessor")) AS aggregation_issues count(eval(component=="LineBreakingProcessor")) AS line_breaking_issues count(eval(component=="DateParserVerbose")) AS date_parsing_issues by host 
| eval crap_score = round((aggregation_issues + line_breaking_issues + date_parsing_issues) / event_count * 1000, 3) 
| eval severity_level = case(crap_score == 0, 0, crap_score > 0 AND crap_score < 1, 1, True(), 2) 
| rename host AS instance 
| fields - crap_score
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

to4kawa
Ultra Champion
‎02-07-2020 01:53 AM

@freern
please provide sample logs with masking sensitive data like XXXX.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...