All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Events not appearing

chriswong187
Explorer
‎10-04-2019 07:00 AM

I configured the sourcetype to fml:log according to the details but no events appear.

When the sourcetype is changed to syslog events start to appear.

Switching back to fml:log stops events again. Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

chriswong187
Explorer
‎10-11-2019 06:48 AM

Hi all, after going through the splunkd.log and I saw a few entries that indicated the LINE_BREAKER entry in props.conf wasn't working right.

LineBreakingProcessor - Truncating line because limit of 99999 bytes has been exceeded with a line length >= 100063

I tried a few variations of LINE_BREAKER in props.conf and ultimately got it to work. I ended up changing

LINE_BREAKER = ([\n\r]+)date=\d{4}\-\d{2}\-\d{2}

To

LINE_BREAKER = ([\n\r]+)

I also reverted the previous changes I had tried with TRANSFORMS back to their default values and things still seemed to work with this new LINE_BREAKER. ¯\(ツ)

Thanks to all that replied with suggestions.

*edit: code blocks

View solution in original post

Reply
Solved! Jump to solution
Solution

chriswong187
Explorer
‎10-11-2019 06:48 AM

Hi all, after going through the splunkd.log and I saw a few entries that indicated the LINE_BREAKER entry in props.conf wasn't working right.

LineBreakingProcessor - Truncating line because limit of 99999 bytes has been exceeded with a line length >= 100063

I tried a few variations of LINE_BREAKER in props.conf and ultimately got it to work. I ended up changing

LINE_BREAKER = ([\n\r]+)date=\d{4}\-\d{2}\-\d{2}

To

LINE_BREAKER = ([\n\r]+)

I also reverted the previous changes I had tried with TRANSFORMS back to their default values and things still seemed to work with this new LINE_BREAKER. ¯\(ツ)

Thanks to all that replied with suggestions.

*edit: code blocks

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-12-2019 11:30 PM

Come back and click Accept on your answer to close your question.

0 Karma
Reply
Solved! Jump to solution

pruthvikrishnap
Contributor
‎10-07-2019 01:59 PM

Hi Chris,
one thing we can do is to go to Splunk UI

Settings > Sourcetypes > select syslog > advanced settings
Copy the settings and create a new sourcetype with the same settings and then use it.
It should have it resolved.

0 Karma
Reply
Solved! Jump to solution

prakash007
Builder
‎10-04-2019 08:51 AM

@chriswong187 looks like you have to make some tweaks to bypass syslog(in built splunk sourcetype) parsing according to your requirements..

Check this out....
https://www.splunk.com/blog/2008/04/16/overriding-default-syslog-host-extraction.html

Check your props/transforms with btool..

$SPLUNK_HOME/bin/splunk cmd btool props list --debug syslog
$SPLUNK_HOME/bin/splunk cmd btool props list --debug fml:log
0 Karma
Reply
Solved! Jump to solution

chriswong187
Explorer
‎10-07-2019 07:13 AM

Thanks for pointing me to the article. I took some steps to correct everything based on the article but it didn't seem to work, unless i overlooked something. Here's some info on what I found: 

PS C:\Program Files\Splunk\bin> splunk cmd btool props list --debug syslog
C:\Program Files\Splunk\etc\system\default\props.conf            TRANSFORMS = syslog-host

PS C:\Program Files\Splunk\bin> splunk cmd btool props list --debug fml:log
C:\Program Files\Splunk\etc\apps\Splunk_TA_fortimail\local\props.conf   TRANSFORMS =

I modified the fortimail props.conf to include this: 

TRANSFORMS = fortimail

And included this in the transforms.conf:

[fortimail]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::host.fqdn host::host2.fqdn
0 Karma
Reply
Solved! Jump to solution

prakash007
Builder
‎10-07-2019 07:17 AM

which splunk instance you have this configs deployed..?? heavy forwarder or indexer..??

0 Karma
Reply
Solved! Jump to solution

chriswong187
Explorer
‎10-07-2019 07:31 AM

Indexer only, I have a single server deployment.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...