Event Breaks with FlexLM Licenses not ingesting consistently

sirkgm14vg — Thu, 06 Mar 2014 19:49:55 GMT

I'm individually bringing in FlexLM files into Splunk, but alas, some of them are not parsing correctly. Some are fine, and what makes them unique is the timestamping.

The log file inserts timestamps without dates per line, but uses a timestamp with data to show the date, and each event on that date. It appears some of the FlexLM files are captured correctly. And some are not. Example.

        Timestamp   Event
1   3/4/14 12:58:59.000 PM  
12:58:59 (lmgrd) -----------------------------------------------
12:58:59 (lmgrd)   Please Note:
12:58:59 (lmgrd) 
12:58:59 (lmgrd)   This log is intended for debug purposes only.
12:58:59 (lmgrd)   In order to capture accurate license
12:58:59 (lmgrd)   usage data into an organized repository,
12:58:59 (lmgrd)   please enable report logging. Use Macrovision's
12:58:59 (lmgrd)   software license administration  solution,
12:58:59 (lmgrd)   FLEXnet Manager, to  readily gain visibility
12:58:59 (lmgrd)   into license usage data and to create
12:58:59 (lmgrd)   insightful reports on critical information like
12:58:59 (lmgrd)   license availability and usage. FLEXnet Manager
12:58:59 (lmgrd)   can be fully automated to run these reports on
12:58:59 (lmgrd)   schedule and can be used to track license
12:58:59 (lmgrd)   servers and usage across a heterogeneous
12:58:59 (lmgrd)   network of servers including Windows NT, Linux
12:58:59 (lmgrd)   and UNIX. Contact Macrovision at
12:58:59 (lmgrd)   www.macrovision.com for more details on how to
12:58:59 (lmgrd)   obtain an evaluation copy of FLEXnet Manager
12:58:59 (lmgrd)   for your enterprise.
12:58:59 (lmgrd) 
12:58:59 (lmgrd) -----------------------------------------------
12:58:59 (lmgrd) 
12:58:59 (lmgrd) 
2   1/20/11 12:58:59.000 PM 
12:58:59 (lmgrd) FLEXnet Licensing (v10.8.0.7 build 26147) started on warehouse (linux) (1/20/2011)
12:58:59 (lmgrd) Copyright (c) 1988-2006 Macrovision Europe Ltd. and/or Macrovision Corporation. All Rights Reserved.

This is even better example

24  1/25/11 7:00:51.000 PM  
19:00:51 (lmgrd) TIMESTAMP 1/25/2011
25  1/26/11 1:00:51.000 AM  
 1:00:51 (lmgrd) TIMESTAMP 1/26/2011
26  1/26/11 7:00:51.000 AM  
 7:00:51 (lmgrd) TIMESTAMP 1/26/2011
27  1/26/11 1:00:51.000 PM  
13:00:51 (lmgrd) TIMESTAMP 1/26/2011
17:39:41 (toolworks) OUT: "TotalView_Team" Jeffrey.Durachta@an006  
17:43:40 (toolworks) IN: "TotalView_Team" Jeffrey.Durachta@an006  
28  1/26/11 7:00:51.000 PM  
19:00:51 (lmgrd) TIMESTAMP 1/26/2011
29  1/27/11 1:00:51.000 AM  
 1:00:51 (lmgrd) TIMESTAMP 1/27/2011
30  1/27/11 7:00:51.000 AM  
 7:00:51 (lmgrd) TIMESTAMP 1/27/2011
31  1/27/11 1:00:51.000 PM  
13:00:51 (lmgrd) TIMESTAMP 1/27/2011
13:01:47 (toolworks) OUT: "TotalView_Team" mjn@mjn  
13:04:57 (toolworks) IN: "TotalView_Team" mjn@mjn  
13:05:15 (toolworks) OUT: "TotalView_Team" mjn@mjn  
13:07:50 (toolworks) IN: "TotalView_Team" mjn@mjn  
13:08:21 (toolworks) OUT: "TotalView_Team" mjn@mjn  
13:09:42 (toolworks) IN: "TotalView_Team" mjn@mjn  
13:32:19 (toolworks) OUT: "TotalView_Team" mjn@mjn  
13:32:26 (toolworks) IN: "TotalView_Team" mjn@mjn  
32  1/27/11 7:00:51.000 PM  
19:00:51 (lmgrd) TIMESTAMP 1/27/2011
33  1/28/11 1:00:51.000 AM  
 1:00:51 (lmgrd) TIMESTAMP 1/28/2011
34  1/28/11 7:00:51.000 AM  
 7:00:51 (lmgrd) TIMESTAMP 1/28/2011
35  1/28/11 1:00:51.000 PM  
13:00:51 (lmgrd) TIMESTAMP 1/28/2011
13:07:35 (toolworks) OUT: "TotalView_Team" Peter.Phillipps@an003  
13:57:12 (toolworks) IN: "TotalView_Team" Peter.Phillipps@an003

However in my other log is PGI (not working):

2   3/5/14 12:58:02.000 PM  
12:58:02 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
3   3/5/14 12:58:02.000 PM  
12:58:02 (pgroupd) IN: "pgf90-linux86" gkv@class07  
4   3/5/14 12:58:02.000 PM  
12:58:02 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
5   3/5/14 12:58:02.000 PM  
12:58:02 (pgroupd) IN: "pgf90-linux86" gkv@class07  
6   3/5/14 12:59:26.000 PM  
12:59:26 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
7   3/5/14 12:59:26.000 PM  
12:59:26 (pgroupd) IN: "pgf90-linux86" gkv@class07  
8   3/5/14 12:59:26.000 PM  
12:59:26 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
9   3/5/14 12:59:26.000 PM  
12:59:26 (pgroupd) IN: "pgf90-linux86" gkv@class07  
10  3/5/14 1:17:42.000 PM   
13:17:42 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
11  3/5/14 1:17:43.000 PM   
13:17:43 (pgroupd) IN: "pgf90-linux86" gkv@class07  
12  3/5/14 1:17:43.000 PM   
13:17:43 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
13  3/5/14 1:17:43.000 PM   
13:17:43 (pgroupd) IN: "pgf90-linux86" gkv@class07  
14  3/4/14 4:32:33.000 PM   
16:32:33 (lmgrd) TIMESTAMP 5/9/2001
15  3/3/14 10:32:33.000 PM  
22:32:33 (lmgrd) TIMESTAMP 5/9/2001
16  3/3/14 4:32:33.000 AM   
 4:32:33 (lmgrd) TIMESTAMP 5/10/2001
17  3/2/14 10:32:33.000 AM  
10:32:33 (lmgrd) TIMESTAMP 5/10/2001
18  3/1/14 4:32:33.000 PM   
16:32:33 (lmgrd) TIMESTAMP 5/10/2001
19  2/28/14 10:32:33.000 PM 
22:32:33 (lmgrd) TIMESTAMP 5/10/2001
20  2/28/14 4:32:33.000 AM  
 4:32:33 (lmgrd) TIMESTAMP 5/11/2001

I understand that I could simply start with the props.conf, and if someone wants to take a whack a solution, that'd be awesome. With that I'd really like someone to provide me the syntax to remove the banner/header that appears in the logs. But also to help capture that date correctly the way it's distributed in the TotalViewFile.

Re: Event Breaks with FlexLM Licenses not ingesting consistently

k2skaterii — Fri, 18 Dec 2015 23:19:55 GMT

Did you ever find a solution to this?

I'm trying to ingest a very similar FlexLM debug file, in an attempt to track our actualy license usage.

Thanks!

Re: Event Breaks with FlexLM Licenses not ingesting consistently

ckdoan — Fri, 27 May 2016 21:48:33 GMT

Were you ever able to achieve this?

Re: Event Breaks with FlexLM Licenses not ingesting consistently

sfishback — Thu, 01 Dec 2016 20:22:28 GMT

I'm also trying to parse the FLEXlm logs but still struggling.

which translates to something like this in the Field Extractor:

^(?P[^ ]+)\s+(?P< FLEXlm_Daemon>[^ ]+)\s+(?P< FLEXlm_Message>\w+:)\s+(?P< FLEXlm_Module>[^ ]+)\s+(?P< FLEXlm_User>.+)

Some have a space at the beginning which throws everything off and being excluded from my searches.

I found this wonderful tool which has helped with getting the regex better http://regexr.com/

(\d+:\d+:\d+)\s+([^ ]+)\s+(\w+:)\s+([^ ]+)(.+)

This is not working a 100% but it's a start. Welcome suggestions on improvement others out there

Re: Event Breaks with FlexLM Licenses not ingesting consistently

sirkgm14vg — Tue, 13 Dec 2016 21:03:53 GMT

Actually I was able to figure this out. I haven't circled back on this. I was able to get this to ingest correctly, but I need to check with colleagues at a previous employer for what I did.

Re: Event Breaks with FlexLM Licenses not ingesting consistently

chandanmla — Wed, 26 Jul 2017 15:14:04 GMT

Hello, what can be the parsing to get only events with "IN" and "OUT" ?

topic Re: Event Breaks with FlexLM Licenses not ingesting consistently in Splunk Search

Event Breaks with FlexLM Licenses not ingesting consistently

Re: Event Breaks with FlexLM Licenses not ingesting consistently

Re: Event Breaks with FlexLM Licenses not ingesting consistently

Re: Event Breaks with FlexLM Licenses not ingesting consistently

Re: Event Breaks with FlexLM Licenses not ingesting consistently

Re: Event Breaks with FlexLM Licenses not ingesting consistently