- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- DBX: when is the line "dbx-end-of-event" printed?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a database input configured:
[dbmon-tail://spa/dwf_rdfdirector_r]
host = spa
index = emc
interval = auto
output.format = mkv
output.timestamp = 1
output.timestamp.column = createdate
output.timestamp.format = yyyy-MM-dd HH:mm:ss
output.timestamp.parse.format = yyyy-MM-dd HH:mm:ss
sourcetype = dwf_rdfdirector_r
table = dwf_rdfdirector_r
tail.rising.column = createdate
1) I suspect it is intentional that when the query is run and no new results are received an event like
---91827349873-dbx-end-of-event---
is indexed. Is there a config setting to prevent that?
2) Most of the other events that have new data have no dbx-end-of-event line at all and miss the last 15 columns as well. Sometimes I get the second part of the table with only the last 15 columns and the dbx-end-of-event line but without the first 25 and the timestamp. But that happens in less than 1/3 of the events. Any idea what is happening there?
The searches "Recent DB Connect errors" and "Recent Java Bridge errors" have no entries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those lines are intended for marking the end of an event in order to force correct line breaking for multiline events. Unfortunately you have to specify those settings manually at the moment if you're using a custom sourcetype. The following props.conf stanza should apply the correct settings for your case:
[dwf_rdfdirector_r]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a database input configured:
source="dbmon-tail://Sample_DB/sample1"
i/p type: Tail
Rising column: modified_date
Index: default
O/p format: Multi line key value format
o/p timestamp : Un checked
Interval : auto
and placed below lines in 'props.conf' file at below path "Splunk/etc/apps/search/local/" and also in "Splunk/etc/apps/search/default/"
[sample1]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])
but still getting o/p as below format""
modified_date=2013-02-16 02:32:13
track=US
cause=Task
closed_date=2013/02/16
area=TC Request
---91827349873-dbx-end-of-event---
entry_id=1234
assigned_id=ABCD
status=Closed
and also unable to retrieve 'create_date' column which is existing in DB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those lines are intended for marking the end of an event in order to force correct line breaking for multiline events. Unfortunately you have to specify those settings manually at the moment if you're using a custom sourcetype. The following props.conf stanza should apply the correct settings for your case:
[dwf_rdfdirector_r]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
