All Apps and Add-ons

Why is line breaking not consistent on Tomcat logs

patrick_nobles7
New Member

I've written for below props.conf and placed in etc\apps\local.
I'm getting sporadic results and lines are being chunked together.
Any help would be greatly appreciated.

[tomcat:jackrabbit:log]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 23
LINE_BREAKER = ([\r\n]+)(\d{4}-\d{2}-\d{2}_\d{2}:\d{2}:\d{2}.\d{3})
TIME_FORMAT = %Y-%m-%d_%H:%M:%S.%3N
TIME_PREFIX = ^
#BREAK_ONLY_BEFORE = ([\r\n]+)(\d{4}-\d{2}-\d{2}_\d{2}:\d{2}:\d{2}.\d{3})

Logged Events:

2019-11-12_14:06:11.682 [http-nio-8081-exec-3_UpdateFundingRate_null] TRACE: 78420:1: setObject: 1 Inputs - |SEAGH0R5| ownerId, ALR_RID_OWNER, java.lang.String
2019-11-12_14:06:11.682 [http-nio-8081-exec-3_UpdateFundingRate_null] TRACE: 78420:1: setObject: 2 Inputs - |CUS  | ownerType, ALR_CDE_OWNER_TYPE, java.lang.String
2019-11-12_14:06:11.698 [http-nio-8081-exec-3_UpdateFundingRate_null] DEBUG: execute sql jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml, Row Count = 0
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] DEBUG: execute trans for xml file = SqlQuery[1,JDBCAdapterSqlXml[78420,jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml,in:2,out:9,count:1,exec:DEFAULT]]
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] TRACE: Prepared 78420:1 {

    SELECT
      ALR_TSP_REC_CREATE ,
      ALR_UID_REC_CREATE ,
      ALR_TXT_DETAILS ,
      ALR_RID_ALERT ,
      ALR_RID_OWNER ,
      ALR_CDE_OWNER_TYPE ,
      ALR_TXT_SHORT_DESC ,
      ALR_TSP_REC_UPDATE ,
      ALR_UID_REC_UPDATE
    FROM
      VLS_ALERT
    WHERE
      ALR_RID_OWNER      =  CAST ( ? AS CHAR ( 8 ) )  AND
      ALR_CDE_OWNER_TYPE =  CAST ( ? AS CHAR ( 5 ) )
       /* LIQ-78420.xml */

      } com.misys.liq.jsqlaccess.adapter.jdbcadapter.JDBCWrapper
`com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement@6ee94345
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] TRACE: 78420:1: setObject: 1 Inputs - |+3BATO74| ownerId, ALR_RID_OWNER, java.lang.String
2019-11-12_14:06:11.729 [http-nio-8081-exec-7_RunXQuery_null] TRACE: 78420:1: setObject: 2 Inputs - |DEA  | ownerType, ALR_CDE_OWNER_TYPE, java.lang.String
2019-11-12_14:06:11.744 [http-nio-8081-exec-7_RunXQuery_null] DEBUG: execute sql jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml, Row Count = 0
2019-11-12_14:06:11.776 [http-nio-8081-exec-9_RunXQuery_null] DEBUG: execute trans for xml file = SqlQuery[1,JDBCAdapterSqlXml[78420,jar:file:/C:/LOANIQ/Server/mssxml.jar!/78420.xml,in:2,out:9,count:1,exec:DEFAULT]]
2019-11-12_14:06:11.776 [http-nio-8081-exec-9_RunXQuery_null] TRACE: Prepared 78420:1 {
0 Karma

harsmarvania57
Ultra Champion

Hi,

Please try below configuration on first Splunk Enterprise Instance (IDX or HW).

props.conf

[yourSourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}_\d{2}\:\d{2}\:\d{2}\.\d{3}
TIME_FORMAT=%Y-%m-%d_%H:%M:%S.%3N
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=23
0 Karma

patrick_nobles7
New Member

Thanks for your input, but still not working. I updated the props.conf and restarted the UF:
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] TRACE: 35121:1 : Row : {0=[column=OAR_CDE_APRVL_TRAN value=ACADJ], 1=[column=OAR_TXT_APRVR1_RNK value=30], 5=[column=OAR_NUM_LOC_APRVRS value=0], 7=[column=OAR_TSP_REC_CREATE value=2010-07-06 08:20:29.64], 8=[column=OAR_UID_REC_CREATE value=RNOWOTNY], 9=[column=OAR_CDE_CURRENCY value=USD], 10=[column=OAR_AMT_TRN_GLOBAL value=25], 11=[column=OAR_RID_APRVL_RULE value=1O94Z8HG], 12=[column=OAR_NUM_SORT_ORDER value=5], 13=[column=OAR_AMT_POST_TRAN value=0], 14=[column=OAR_IND_PRCSR_APRV value=Y], 15=[column=TEX_IND_VALUE value=N], 16=[column=OAR_AMT_TRAN value=0], 17=[column=OAR_TSP_REC_UPDATE value=2019-11-08 12:00:50.212], 18=[column=OAR_UID_REC_UPDATE value=PANDERSO], 19=[column=OAR_IND_WARN_OVRDN value=N]}
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] TRACE: 35121:1 : Row : {0=[column=OAR_CDE_APRVL_TRAN value=ACADJ], 1=[column=OAR_TXT_APRVR1_RNK value=30], 5=[column=OAR_NUM_LOC_APRVRS value=0], 7=[column=OAR_TSP_REC_CREATE value=2012-02-10 15:27:29.25], 8=[column=OAR_UID_REC_CREATE value=RNOWOTNY], 9=[column=OAR_CDE_CURRENCY value=USD], 10=[column=OAR_AMT_TRN_GLOBAL value=500], 11=[column=OAR_RID_APRVL_RULE value=9-9Z19KO], 12=[column=OAR_NUM_SORT_ORDER value=6], 13=[column=OAR_AMT_POST_TRAN value=0], 14=[column=OAR_IND_PRCSR_APRV value=N], 15=[column=TEX_IND_VALUE value=N], 16=[column=OAR_AMT_TRAN value=0], 17=[column=OAR_TSP_REC_UPDATE value=2019-11-08 12:00:50.212], 18=[column=OAR_UID_REC_UPDATE value=PANDERSO], 19=[column=OAR_IND_WARN_OVRDN value=N]}
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] TRACE: 35121:1 : Row : {0=[column=OAR_CDE_APRVL_TRAN value=ACADJ], 1=[column=OAR_TXT_APRVR1_RNK value=50], 5=[column=OAR_NUM_LOC_APRVRS value=0], 7=[column=OAR_TSP_REC_CREATE value=2012-02-24 15:00:40.01], 8=[column=OAR_UID_REC_CREATE value=RNOWOTNY], 9=[column=OAR_CDE_CURRENCY value=USD], 10=[column=OAR_AMT_TRN_GLOBAL value=0], 11=[column=OAR_RID_APRVL_RULE value=KW9ZR5OR], 12=[column=OAR_NUM_SORT_ORDER value=7], 13=[column=OAR_AMT_POST_TRAN value=0], 14=[column=OAR_IND_PRCSR_APRV value=N], 15=[column=TEX_IND_VALUE value=N], 16=[column=OAR_AMT_TRAN value=0], 17=[column=OAR_TSP_REC_UPDATE value=2019-11-08 12:00:50.212], 18=[column=OAR_UID_REC_UPDATE value=PANDERSO], 19=[column=OAR_IND_WARN_OVRDN value=N]}
2019-11-12_15:53:15.243 [http-nio-8081-exec-1_RunXQuery_null] DEBUG: execute sql jar:file:/C:/LOANIQ/Server/mssxml.jar!/35121.xml, Row Count = 7
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] DEBUG: execute trans for xml file = SqlQuery[1,JDBCAdapterSqlXml[66822,jar:file:/C:/LOANIQ/Server/mssxml.jar!/66822.xml,in:2,out:15,count:1,exec:DEFAULT]]
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: Prepared 66822:1 {

SELECT
  TEX_TSP_REC_CREATE ,
  TEX_UID_REC_CREATE ,
  TEX_RID_TABLE_EXT ,
  TEX_RID_OWNER ,
  TEX_CDE_OWNER_TYPE ,
  TEX_NME_POTEN_COL ,
  TEX_TSP_REC_UPDATE ,
  TEX_UID_REC_UPDATE ,
   TEX_AMT_VALUE ,
  TEX_DTE_VALUE ,
  TEX_IND_VALUE ,
  TEX_INT_VALUE ,
   TEX_RTO_VALUE ,
  TEX_TXT_VALUE ,
  TEX_TSP_VALUE
FROM
  VLS_TABLE_EXT ,
  VLS_ONL_APRVL_RULE
WHERE
  TEX_NME_POTEN_COL  =  CAST ( ? AS CHAR ( 18 ) )  AND
  OAR_CDE_APRVL_TRAN =  CAST ( ? AS CHAR ( 5 ) )  AND
  OAR_RID_APRVL_RULE =  TEX_RID_OWNER
   /* LIQ-66822.xml */

  } com.misys.liq.jsqlaccess.adapter.jdbcadapter.JDBCWrapper@206d6365 com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement@4a764b82

2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1: setObject: 1 Inputs - |OAR_IND_CRTR_APRV | potentialColumnName, TEX_NME_POTEN_COL, java.lang.String
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1: setObject: 2 Inputs - |ACADJ| approvableTransactionCode, OAR_CDE_APRVL_TRAN, java.lang.String
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00023], 3=[column=TEX_RID_OWNER value=1O94Z8HG], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=Y]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00027], 3=[column=TEX_RID_OWNER value=9-9Z19KO], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=N]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00029], 3=[column=TEX_RID_OWNER value=DI9PWXWZ], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=Y]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00084], 3=[column=TEX_RID_OWNER value=J(9KRUL8], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=N]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00139], 3=[column=TEX_RID_OWNER value=KW9ZR5OR], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=N]}
2019-11-12_15:53:15.274 [http-nio-8081-exec-4_RunXQuery_null] TRACE: 66822:1 : Row : {0=[column=TEX_TSP_REC_CREATE value=2019-08-10 02:25:23.2], 1=[column=TEX_UID_REC_CREATE value=LIQ_API], 2=[column=TEX_RID_TABLE_EXT value=T/X00147], 3=[column=TEX_RID_OWNER value=Y*94SS3I], 4=[column=TEX_CDE_OWNER_TYPE value=OAR], 5=[column=TEX_NME_POTEN_COL value=OAR_IND_CRTR_APRV], 6=[column=TEX_TSP_REC_UPDATE value=2019-08-10 02:25:23.2], 7=[column=TEX_UID_REC_UPDATE value=LIQ_API], 10=[column=TEX_IND_VALUE value=Y]}

0 Karma

harsmarvania57
Ultra Champion

Configuration which I have provided will not work on UF, you need to configure it on first Splunk Enterprise Instance (Indexer or Heavy Forwarder) from UF.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...