Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my props.conf to forward Matlab Crash Dump?

sboland687
Engager
‎02-17-2017 06:27 AM

I'm getting an intermittent issue that I suspect is related to file IO, not Matlab. I want to forward all the crashdumps so that maybe I can identify a pattern. My problem is that splunk is truncating the log at line 12 because of the second timestamp included in the Operating system version. I haven't had luck with the suggestions on the forums with settings in a props.conf file. Can anyone suggest a configuration that will work here?

example log (not mine, but always follows this form): 

------------------------------------------------------------------------
       Segmentation violation detected at Wed Mar 23 15:52:27 2016
------------------------------------------------------------------------
Configuration:
  Crash Decoding     : Disabled
  Current Visual     : None
  Default Encoding   : UTF-8
  GNU C Library      : 2.21 stable
  MATLAB Architecture: glnxa64
  MATLAB Root        : /usr/local/MATLAB/R2014b
  MATLAB Version     : 8.4.0.150421 (R2014b)
  Operating System   : Linux 4.2.0-34-generic #39-Ubuntu SMP Thu Mar 10 22:13:01 UTC 2016 x86_64
  Processor ID       : x86 Family 6 Model 15 Stepping 11, GenuineIntel
  Virtual Machine    : Java 1.7.0_11-b21 with Oracle Corporation Java HotSpot(TM) 64-Bit Server VM mixed mode
  Window System      : No active display
Fault Count: 1
Abnormal termination:
Segmentation violation
Register State (from fault):
  RAX = 0000000000000000  RBX = 00007fdb91e76808
  RCX = 0000000000000000  RDX = 0000000000000003
  RSP = 00007fdc29c88ae0  RBP = 00007fdc29c88c00
  RSI = 0000000000000000  RDI = 00007fdb91e729e8
     R8 = 0000000000000018   R9 = 0000000000000000
    R10 = 00007fdb91e72000  R11 = 00007fdb91e77450
    R12 = 00007fdb92092f80  R13 = 0000000000000006
    R14 = 00007fdb91e73cc0  R15 = 00007fdbb84c5bc0
    RIP = 00007fdc40a3190a  EFL = 0000000000010206
     CS = 0033   FS = 0000   GS = 0000
Stack Trace (from fault):
[  0] 0x00007fdc40a3190a                        /lib64/ld-linux-x86-64.so.2+00051466
[  1] 0x00007fdc40a3a501                        /lib64/ld-linux-x86-64.so.2+00087297
[  2] 0x00007fdc40a354b4                        /lib64/ld-linux-x86-64.so.2+00066740
[  3] 0x00007fdc40a399f3                        /lib64/ld-linux-x86-64.so.2+00084467
[  4] 0x00007fdc3d2b6fc9                   /lib/x86_64-linux-gnu/libdl.so.2+00004041
[  5] 0x00007fdc40a354b4                        /lib64/ld-linux-x86-64.so.2+00066740
[  6] 0x00007fdc3d2b762d                   /lib/x86_64-linux-gnu/libdl.so.2+00005677
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-17-2017 07:24 AM

Give this a try

props.conf on Indexer/Heavy forwarder

[ <SOURCETYPE NAME> ]
SHOULD_LINEMERGE=false
disabled=false
LINE_BREAKER=(-+[\r\n]+)(?=\s+\S+.+\w+\s\d{2}\s\d{2}:\d{2}:\d{2} \d{4})
TIME_FORMAT=%b %d %H:%M:%S %Y
TIME_PREFIX=at\s+\w+\s
MAX_TIMESTAMP_LOOKAHEAD=20

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-17-2017 07:24 AM

Give this a try

props.conf on Indexer/Heavy forwarder

[ <SOURCETYPE NAME> ]
SHOULD_LINEMERGE=false
disabled=false
LINE_BREAKER=(-+[\r\n]+)(?=\s+\S+.+\w+\s\d{2}\s\d{2}:\d{2}:\d{2} \d{4})
TIME_FORMAT=%b %d %H:%M:%S %Y
TIME_PREFIX=at\s+\w+\s
MAX_TIMESTAMP_LOOKAHEAD=20
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...