Hello,
I have a database crashdump file, which has the following structure (from the beginning):
=========================================
Crash protocol for PID 289251
Rundirectory: /usr/sap/CWW/HDB02/ls5433
Process start time: 2018-11-29 15:24:13 782 Local
Exception time: 2018-11-30 21:00:50 859 Local
SectionTimeout: 30sec
KillTimeout: 300sec
=========================================
Table of contents:
[BUILD] Build information
[SYSTEMINFO] System information
[CRASH_SHORTINFO] Exception short info
...
[DISASSEMBLY] Disassembly of frames in callstack
[REGISTER_OBJECTS] Objects registers point to
[THREADS] Running threads
WARNING: could not suspend 1 threads
[BUILD] Build information: (2018-11-30 21:01:01 972 Local)
Version : 2.00.024.06.1538035880 (fa/hana2sp02)
Build host : ld4552
Build time : 2018-09-27 10:26:47
Platform : linuxx86_64
Compiler : gcc (SAP release 20170307, based on SUSE gcc6-6.2.1+r239768-2.4) 6.2.1 20160826 [gcc-6-branch revision 239773]
Maketype : rel
Branch : fa/hana2sp02
Git hash : 4d5d5af986c75c6f2d61bde8b289b9c8ca078032
Git mergetime : 2018-09-27 10:11:20
Weekstone : 0000.00.0
[OK]
--
[SYSTEMINFO] System information: (2018-11-30 21:01:01 972 Local)
Instance CWW/02, OS Linux ls5433 4.4.121-92.98-default #1 SMP Fri Oct 19 07:52:13 UTC 2018 (e4d85ce) x86_64
[OK]
--
Now, I would like each section to be a separate event. The sections are separated with the [OK], except the heading one, but here I would not have anything against that it is combined together with the [BUILD] section together. This means I would like to set the line breaker to the [OK].
Also, the event time should be set to the timestamp coming in brackets:
[BUILD] Build information: (2018-11-30 21:01:01 972 Local)
...
[SYSTEMINFO] System information: (2018-11-30 21:01:01 972 Local)
etc. Unfortunately these timestamps do not come in the first line of the event, at least in case of the first event / header.
How would I achieve both?
The line breaker set to [OK] and the proper event time setting?
Could you please advice the corresponding props.conf entries?
Kind Regards,
Kamil
Hi,
Please try below configuration
props.conf
[yoursourcetype]
BREAK_ONLY_BEFORE_DATE = false
LINE_BREAKER = ([\r\n+])\[\w+\]\s{2}\w+
MAX_TIMESTAMP_LOOKAHEAD = 23
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S %3N
TIME_PREFIX = information: \(
disabled = false
Above configuration will break sample event provided by you in 3 different events
First Event
=========================================
Crash protocol for PID 289251
Rundirectory: /usr/sap/CWW/HDB02/ls5433
Process start time: 2018-11-29 15:24:13 782 Local
Exception time: 2018-11-30 21:00:50 859 Local
SectionTimeout: 30sec
KillTimeout: 300sec
=========================================
Table of contents:
[BUILD] Build information
[SYSTEMINFO] System information
[CRASH_SHORTINFO] Exception short info
...
[DISASSEMBLY] Disassembly of frames in callstack
[REGISTER_OBJECTS] Objects registers point to
[THREADS] Running threads
WARNING: could not suspend 1 threads
Second Event
[BUILD] Build information: (2018-11-30 21:01:01 972 Local)
Version : 2.00.024.06.1538035880 (fa/hana2sp02)
Build host : ld4552
Build time : 2018-09-27 10:26:47
Platform : linuxx86_64
Compiler : gcc (SAP release 20170307, based on SUSE gcc6-6.2.1+r239768-2.4) 6.2.1 20160826 [gcc-6-branch revision 239773]
Maketype : rel
Branch : fa/hana2sp02
Git hash : 4d5d5af986c75c6f2d61bde8b289b9c8ca078032
Git mergetime : 2018-09-27 10:11:20
Weekstone : 0000.00.0
[OK]
--
Third Event
[SYSTEMINFO] System information: (2018-11-30 21:01:01 972 Local)
Instance CWW/02, OS Linux ls5433 4.4.121-92.98-default #1 SMP Fri Oct 19 07:52:13 UTC 2018 (e4d85ce) x86_64
[OK]
--