- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- splunkd error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkd error
Hi,
I'm getting the following error in my splunkd.log, and I can't determine where the issue is. Hoping someone can help me...
The error is:
04-22-2013 14:45:41.122 -0400 ERROR DatetimeInitUtils - Invalid regex ^[ -- Regex: missing terminating ] for character class - data_source="F:\IBM\Lotus\Domino\Trace\UserInfoSA_130419_2323_0.txt", data_host="blahblahblah", data_sourcetype="STCommunityTraceLogs_user"
My inputs.conf is:
[monitor://F:\IBM\Lotus\Domino\Trace\User*.txt]
sourcetype = STCommunityTraceLogs_user
index = euc_sametimedata
disabled = false
followTail = 0
crcSalt =
and my props.conf is:
[STCommunityTraceLogs_user]
TIME_FORMAT = %H:%M:%S.%3N | %d.%m.%Y
MAX_TIMESTAMP_LOOKAHEAD = 55
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_PREFIX = ^[
Here's some sample lines...
[ 14:38:32.235 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : Initializing UserInfo SA
[ 14:38:32.329 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : openning storage 0 for storage type LDAP
[ 14:38:32.329 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : openning provider host=fidvirtualdir-qa.fmr.com port=2491(&(objectclass=FidelityPerson)(|(mail=%s)(cn=%s)(uid=%s))) storage num=0
[ 14:38:32.329 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : opening detail id=MailAddress type=text/plain fieldName=Mail storage num=0
[ 14:38:32.329 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : opening detail id=Name type=text/plain fieldName=cn storage num=0
[ 14:38:32.329 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : opening detail id=Title type=text/plain fieldName=title st
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you'll need to escape the square bracket in TIME_PREFIX. Otherwise Splunks regex engine will see the as the start of a character class.
So;
TIME_PREFIX=^\[
Also, if you need the crcSalt, I believe that it should be in uppercase; <SOURCE>
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, appeared to work.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
