All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is line breaking not consistent on Tomcat logs

patrick_nobles7
New Member
‎11-12-2019 12:18 PM

I've written for below props.conf and placed in etc\apps\local.
I'm getting sporadic results and lines are being chunked together.
Any help would be greatly appreciated.

[tomcat:jackrabbit:log]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 23
LINE_BREAKER = ([\r\n]+)(\d{4}-\d{2}-\d{2}_\d{2}:\d{2}:\d{2}.\d{3})
TIME_FORMAT = %Y-%m-%d_%H:%M:%S.%3N
TIME_PREFIX = ^
#BREAK_ONLY_BEFORE = ([\r\n]+)(\d{4}-\d{2}-\d{2}_\d{2}:\d{2}:\d{2}.\d{3})

Logged Events:

2019-11-12_14:06:11.682 [http-nio-8081-exec-3_UpdateFundingRate_null] TRACE: 78420:1: setObject: 1 Inputs - |SEAGH0R5| ownerId, ALR_RID_OWNER, java.lang.String
2019-11-12_14:06:11.682 [http-nio-8081-exec-3_UpdateFundingRate_null] TRACE: 78420:1: setObject: 2 Inputs - |CUS  | ownerType, ALR_CDE_OWNER_TYPE, java.lang.String
2019-11-12_14:06:11.698 [http-nio-8081-exec-3_UpdateFundingRate_null] DEBUG: execute sql jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml, Row Count = 0
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] DEBUG: execute trans for xml file = SqlQuery[1,JDBCAdapterSqlXml[78420,jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml,in:2,out:9,count:1,exec:DEFAULT]]
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] TRACE: Prepared 78420:1 {

    SELECT
      ALR_TSP_REC_CREATE ,
      ALR_UID_REC_CREATE ,
      ALR_TXT_DETAILS ,
      ALR_RID_ALERT ,
      ALR_RID_OWNER ,
      ALR_CDE_OWNER_TYPE ,
      ALR_TXT_SHORT_DESC ,
      ALR_TSP_REC_UPDATE ,
      ALR_UID_REC_UPDATE
    FROM
      VLS_ALERT
    WHERE
      ALR_RID_OWNER      =  CAST ( ? AS CHAR ( 8 ) )  AND
      ALR_CDE_OWNER_TYPE =  CAST ( ? AS CHAR ( 5 ) )
       /* LIQ-78420.xml */

      } com.misys.liq.jsqlaccess.adapter.jdbcadapter.JDBCWrapper
`com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement@6ee94345
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] TRACE: 78420:1: setObject: 1 Inputs - |+3BATO74| ownerId, ALR_RID_OWNER, java.lang.String
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] TRACE: 78420:1: setObject: 2 Inputs - |DEA  | ownerType, ALR_CDE_OWNER_TYPE, java.lang.String
2019-11-12_14:06:11.744 [http-nio-8081-exec-7_RunXQuery_null] DEBUG: execute sql jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml, Row Count = 0
2019-11-12_14:06:11.776 [http-nio-8081-exec-9_RunXQuery_null] DEBUG: execute trans for xml file = SqlQuery[1,JDBCAdapterSqlXml[78420,jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml,in:2,out:9,count:1,exec:DEFAULT]]
2019-11-12_14:06:11.776 [http-nio-8081-exec-9_RunXQuery_null] TRACE: Prepared 78420:1 {
0 Karma
Reply

harsmarvania57
SplunkTrust
SplunkTrust
‎11-12-2019 12:43 PM

Hi,

Please try below configuration on first Splunk Enterprise Instance (IDX or HW).

props.conf

[yourSourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}_\d{2}\:\d{2}\:\d{2}\.\d{3}
TIME_FORMAT=%Y-%m-%d_%H:%M:%S.%3N
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=23
0 Karma
Reply

patrick_nobles7
New Member
‎11-12-2019 01:56 PM

Thanks for your input, but still not working. I updated the props.conf and restarted the UF:
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] TRACE: 35121:1 : Row : {0=[column=OAR_CDE_APRVL_TRAN value=ACADJ], 1=[column=OAR_TXT_APRVR1_RNK value=30], 5=[column=OAR_NUM_LOC_APRVRS value=0], 7=[column=OAR_TSP_REC_CREATE value=2010-07-06 08:20:29.64], 8=[column=OAR_UID_REC_CREATE value=RNOWOTNY], 9=[column=OAR_CDE_CURRENCY value=USD], 10=[column=OAR_AMT_TRN_GLOBAL value=25], 11=[column=OAR_RID_APRVL_RULE value=1O94Z8HG], 12=[column=OAR_NUM_SORT_ORDER value=5], 13=[column=OAR_AMT_POST_TRAN value=0], 14=[column=OAR_IND_PRCSR_APRV value=Y], 15=[column=TEX_IND_VALUE value=N], 16=[column=OAR_AMT_TRAN value=0], 17=[column=OAR_TSP_REC_UPDATE value=2019-11-08 12:00:50.212], 18=[column=OAR_UID_REC_UPDATE value=PANDERSO], 19=[column=OAR_IND_WARN_OVRDN value=N]}
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] TRACE: 35121:1 : Row : {0=[column=OAR_CDE_APRVL_TRAN value=ACADJ], 1=[column=OAR_TXT_APRVR1_RNK value=30], 5=[column=OAR_NUM_LOC_APRVRS value=0], 7=[column=OAR_TSP_REC_CREATE value=2012-02-10 15:27:29.25], 8=[column=OAR_UID_REC_CREATE value=RNOWOTNY], 9=[column=OAR_CDE_CURRENCY value=USD], 10=[column=OAR_AMT_TRN_GLOBAL value=500], 11=[column=OAR_RID_APRVL_RULE value=9-9Z19KO], 12=[column=OAR_NUM_SORT_ORDER value=6], 13=[column=OAR_AMT_POST_TRAN value=0], 14=[column=OAR_IND_PRCSR_APRV value=N], 15=[column=TEX_IND_VALUE value=N], 16=[column=OAR_AMT_TRAN value=0], 17=[column=OAR_TSP_REC_UPDATE value=2019-11-08 12:00:50.212], 18=[column=OAR_UID_REC_UPDATE value=PANDERSO], 19=[column=OAR_IND_WARN_OVRDN value=N]}
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] TRACE: 35121:1 : Row : {0=[column=OAR_CDE_APRVL_TRAN value=ACADJ], 1=[column=OAR_TXT_APRVR1_RNK value=50], 5=[column=OAR_NUM_LOC_APRVRS value=0], 7=[column=OAR_TSP_REC_CREATE value=2012-02-24 15:00:40.01], 8=[column=OAR_UID_REC_CREATE value=RNOWOTNY], 9=[column=OAR_CDE_CURRENCY value=USD], 10=[column=OAR_AMT_TRN_GLOBAL value=0], 11=[column=OAR_RID_APRVL_RULE value=KW9ZR5OR], 12=[column=OAR_NUM_SORT_ORDER value=7], 13=[column=OAR_AMT_POST_TRAN value=0], 14=[column=OAR_IND_PRCSR_APRV value=N], 15=[column=TEX_IND_VALUE value=N], 16=[column=OAR_AMT_TRAN value=0], 17=[column=OAR_TSP_REC_UPDATE value=2019-11-08 12:00:50.212], 18=[column=OAR_UID_REC_UPDATE value=PANDERSO], 19=[column=OAR_IND_WARN_OVRDN value=N]}
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] DEBUG: execute sql jar:file:/C:/LOANIQ/Server/mssxml.jar!/35121.xml, Row Count = 7
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] DEBUG: execute trans for xml file = SqlQuery[1,JDBCAdapterSqlXml[66822,jar:file:/C:/LOANIQ/Server/mssxml.jar!/66822.xml,in:2,out:15,count:1,exec:DEFAULT]]
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: Prepared 66822:1 {

SELECT
  TEX_TSP_REC_CREATE ,
  TEX_UID_REC_CREATE ,
  TEX_RID_TABLE_EXT ,
  TEX_RID_OWNER ,
  TEX_CDE_OWNER_TYPE ,
  TEX_NME_POTEN_COL ,
  TEX_TSP_REC_UPDATE ,
  TEX_UID_REC_UPDATE ,
   TEX_AMT_VALUE ,
  TEX_DTE_VALUE ,
  TEX_IND_VALUE ,
  TEX_INT_VALUE ,
   TEX_RTO_VALUE ,
  TEX_TXT_VALUE ,
  TEX_TSP_VALUE
FROM
  VLS_TABLE_EXT ,
  VLS_ONL_APRVL_RULE
WHERE
  TEX_NME_POTEN_COL  =  CAST ( ? AS CHAR ( 18 ) )  AND
  OAR_CDE_APRVL_TRAN =  CAST ( ? AS CHAR ( 5 ) )  AND
  OAR_RID_APRVL_RULE =  TEX_RID_OWNER
   /* LIQ-66822.xml */

  } com.misys.liq.jsqlaccess.adapter.jdbcadapter.JDBCWrapper@206d6365 com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement@4a764b82

2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1: setObject: 1 Inputs - |OAR_IND_CRTR_APRV | potentialColumnName, TEX_NME_POTEN_COL, java.lang.String
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1: setObject: 2 Inputs - |ACADJ| approvableTransactionCode, OAR_CDE_APRVL_TRAN, java.lang.String
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00023], 3=[column=TEX_RID_OWNER value=1O94Z8HG], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=Y]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00027], 3=[column=TEX_RID_OWNER value=9-9Z19KO], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=N]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00029], 3=[column=TEX_RID_OWNER value=DI9PWXWZ], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=Y]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00084], 3=[column=TEX_RID_OWNER value=J(9KRUL8], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=N]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00139], 3=[column=TEX_RID_OWNER value=KW9ZR5OR], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=N]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00147], 3=[column=TEX_RID_OWNER value=Y*94SS3I], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=Y]}

0 Karma
Reply

harsmarvania57
SplunkTrust
SplunkTrust
‎11-13-2019 12:56 AM

Configuration which I have provided will not work on UF, you need to configure it on first Splunk Enterprise Instance (Indexer or Heavy Forwarder) from UF.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...