Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multi line log issue

castle1126
Communicator
‎10-25-2010 06:28 PM

I have a Windows system with 4.1.5 forwarding to my Splunk indexer, that puts out logs in this format:

begin error

lines of interesting log entries

end error

I've been noodling around with different options within the PROPS.CONF on the Forwarder system. So far no luck. My goal is to be have the forwarder sear the data correctly then transfer to the Indexing server.

Any tips or ideas I'm missing?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎10-25-2010 07:27 PM

Are these Windows Event Log events or text-based? What do you want the indexed events to look like?

If all events follow the format you describe, then it should be enough to do:

#props.conf
[yoursourcetype]
LINE_BREAKER=([\r\n]+)(### begin error)

Not sure if the hash marks would need to be escaped.

View solution in original post

Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎10-25-2010 07:27 PM

Are these Windows Event Log events or text-based? What do you want the indexed events to look like?

If all events follow the format you describe, then it should be enough to do:

#props.conf
[yoursourcetype]
LINE_BREAKER=([\r\n]+)(### begin error)

Not sure if the hash marks would need to be escaped.

Reply
Solved! Jump to solution

castle1126
Communicator
‎10-26-2010 03:14 PM

Hey SoutheringtonP,

I changed the client from running LightForwarder to Forwarder. Your change to the props.conf worked perfect! Thanks for the insight!!

0 Karma
Reply
Solved! Jump to solution

castle1126
Communicator
‎10-26-2010 01:01 AM

Sorry for the posting glitch, my bad with the # versus = sign. In this case the forwarder being used is the light forwarder. Thanks for the tip, I'll make the entry in the indexer's props.conf and see how that works.

0 Karma
Reply
Solved! Jump to solution

southeringtonp
Motivator
‎10-25-2010 09:22 PM

Equals signs would not need to be escaped. In your original question, you had hashes, which might have been interpreted as the beginning of a comment in the config file. If you are using a lightweight forwarder, then do this at the indexer. For heavy-weight forwarders, do it at the forwarder.

0 Karma
Reply
Solved! Jump to solution

castle1126
Communicator
‎10-25-2010 08:06 PM

A question - in my setup the forwarder system has the props.conf with the LINE_BREAKER entry in it. Should this props.conf be moved to the indexing server or left on the forwarding system?

0 Karma
Reply
Solved! Jump to solution

castle1126
Communicator
‎10-25-2010 08:01 PM

The logs I'm going after are not Event logs, they're output from a custom program. I tried as you noted and no luck. The first event shows the header line (===== begin error =====) and the next line from the file (ASP error on page: http://server/page.asp).
The next event begins with the 3rd line of text (At 10/25/2010 3:55:09pm) and shows the remaining lines of text up to the last line (===== end error =====).

By the way, I tested the = sign in REGEX Buddy and it recognized the = sign as a character.

Any other ideas?

0 Karma
Reply
Solved! Jump to solution

ftk
Motivator
‎10-25-2010 06:58 PM

So do you want multiline events or not? Can't quite tell from your question. Can you please clarify?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...