Knowledge Management

Can you help me with Line Breaker and Event Time?

damucka
Builder

Hello,

I have a database crashdump file, which has the following structure (from the beginning):

=========================================
Crash protocol for PID 289251
Rundirectory: /usr/sap/CWW/HDB02/ls5433
Process start time: 2018-11-29 15:24:13 782 Local
Exception time: 2018-11-30 21:00:50 859 Local
SectionTimeout: 30sec
KillTimeout: 300sec
=========================================

Table of contents:
   [BUILD]  Build information
   [SYSTEMINFO]  System information
   [CRASH_SHORTINFO]  Exception short info
   ...
   [DISASSEMBLY]  Disassembly of frames in callstack
   [REGISTER_OBJECTS]  Objects registers point to
   [THREADS]  Running threads
WARNING: could not suspend 1 threads

[BUILD]  Build information: (2018-11-30 21:01:01 972 Local)
Version       : 2.00.024.06.1538035880 (fa/hana2sp02)
Build host    : ld4552
Build time    : 2018-09-27 10:26:47
Platform      : linuxx86_64
Compiler      : gcc (SAP release 20170307, based on SUSE gcc6-6.2.1+r239768-2.4) 6.2.1 20160826 [gcc-6-branch revision 239773]
Maketype      : rel
Branch        : fa/hana2sp02
Git hash      : 4d5d5af986c75c6f2d61bde8b289b9c8ca078032
Git mergetime : 2018-09-27 10:11:20
Weekstone     : 0000.00.0
[OK]
--

[SYSTEMINFO]  System information: (2018-11-30 21:01:01 972 Local)
Instance CWW/02, OS Linux ls5433 4.4.121-92.98-default #1 SMP Fri Oct 19 07:52:13 UTC 2018 (e4d85ce) x86_64
[OK]
--

Now, I would like each section to be a separate event. The sections are separated with the [OK], except the heading one, but here I would not have anything against that it is combined together with the [BUILD] section together. This means I would like to set the line breaker to the [OK].

Also, the event time should be set to the timestamp coming in brackets:

[BUILD]  Build information: (2018-11-30 21:01:01 972 Local)
...
[SYSTEMINFO]  System information: (2018-11-30 21:01:01 972 Local)

etc. Unfortunately these timestamps do not come in the first line of the event, at least in case of the first event / header.

How would I achieve both?

The line breaker set to [OK] and the proper event time setting?

Could you please advice the corresponding props.conf entries?

Kind Regards,
Kamil

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Please try below configuration

props.conf

[yoursourcetype]
BREAK_ONLY_BEFORE_DATE = false
LINE_BREAKER = ([\r\n+])\[\w+\]\s{2}\w+
MAX_TIMESTAMP_LOOKAHEAD = 23
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S %3N
TIME_PREFIX = information: \(
disabled = false

Above configuration will break sample event provided by you in 3 different events
First Event

=========================================
Crash protocol for PID 289251
Rundirectory: /usr/sap/CWW/HDB02/ls5433
Process start time: 2018-11-29 15:24:13 782 Local
Exception time: 2018-11-30 21:00:50 859 Local
SectionTimeout: 30sec
KillTimeout: 300sec
=========================================

Table of contents:
   [BUILD]  Build information
   [SYSTEMINFO]  System information
   [CRASH_SHORTINFO]  Exception short info
   ...
   [DISASSEMBLY]  Disassembly of frames in callstack
   [REGISTER_OBJECTS]  Objects registers point to
   [THREADS]  Running threads
WARNING: could not suspend 1 threads

Second Event

[BUILD]  Build information: (2018-11-30 21:01:01 972 Local)
Version       : 2.00.024.06.1538035880 (fa/hana2sp02)
Build host    : ld4552
Build time    : 2018-09-27 10:26:47
Platform      : linuxx86_64
Compiler      : gcc (SAP release 20170307, based on SUSE gcc6-6.2.1+r239768-2.4) 6.2.1 20160826 [gcc-6-branch revision 239773]
Maketype      : rel
Branch        : fa/hana2sp02
Git hash      : 4d5d5af986c75c6f2d61bde8b289b9c8ca078032
Git mergetime : 2018-09-27 10:11:20
Weekstone     : 0000.00.0
[OK]
--

Third Event

[SYSTEMINFO]  System information: (2018-11-30 21:01:01 972 Local)
Instance CWW/02, OS Linux ls5433 4.4.121-92.98-default #1 SMP Fri Oct 19 07:52:13 UTC 2018 (e4d85ce) x86_64
[OK]
--

View solution in original post

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...