Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index not getting the whole log

xisura
Communicator
‎12-11-2013 05:47 AM

Hi Everyone,

I have a problem in indexing of logs. After i search by the source i found out that its not getting the whole content of the log file sample search => index="test" source="sourcepath".
I checked the raw log its complete but in splunk it shows incomplete logs.
Please help how can i fix this?

Thanks,
xisura

Tags (2)
0 Karma
Reply

lukejadamec
Super Champion
‎12-11-2013 03:30 PM

If I was Splunk, this log file would give me a headache. There is no timestamp, the values come before the field sometimes and after the field name other times. However, I am not Splunk.

Regardless, I am new, so what I would do is just index the entire file as raw data and pull out what I wanted from the data with search time field extractions using rex or regex.

To index the entire file without regard to field value content you will need to create a props.conf stanza that never line breaks like this:

props.conf

[util]
SHOULD_LINEMERGE=false
LINE_BREAKER=(?=!)
TRUNCATE=1000000

Reference: Old Folks et.al:

http://answers.splunk.com/answers/11566/how-can-i-index-config-files-and-text-documents-as-individua...

0 Karma
Reply

xisura
Communicator
‎12-11-2013 05:23 PM

ok , i'll keep you updated thanks for helping me 🙂

0 Karma
Reply

lukejadamec
Super Champion
‎12-11-2013 05:16 PM

Try adding DATETIME_CONFIG = NONE to the props.conf config, and remember this will only affect newly indexed logs after a restart.

For reference:
Set DATETIME_CONFIG = NONE to prevent the timestamp processor from running. When timestamp processing is off, Splunk does not look at the text of the event for the timestamp--it instead uses the event's "time of receipt"; in other words, the time the event is received via its input. For file-based inputs, this means that Splunk derives the event timestamp from the modification time of the input file.

0 Karma
Reply

xisura
Communicator
‎12-11-2013 05:00 PM

I tried searching this sourcetype="util" "DPwithFR:" , set the time to all time, it shows it but the time is "July 19,2013"
I suspect that its not getting the right time so i tried to convert the boot time which is in epoch time to standard time and it shows July 19,2013. Theres no latest data that shows that part , i also checked the raw logs and its there. I dont know why splunk didnt index that part.

1342633324 boot time
565898104 forks
DP:
2.13 : 34
3.9 : 33
DPwithFR:
2.2 : 37
2.3 : 35
2.4 : 36
2.5 : 36
2.6 : 35
2.7 : 35
2.8 : 38

0 Karma
Reply

xisura
Communicator
‎12-11-2013 05:00 PM

I already edit the props.conf and restart the indexer and the forwarder still it didnt show that part.

0 Karma
Reply

lukejadamec
Super Champion
‎12-11-2013 04:22 PM

Here is a good read for answering questions regarding where to put/find which config:

http://docs.splunk.com/Documentation/Splunk/6.0/admin/Wheretofindtheconfigurationfiles

0 Karma
Reply

lukejadamec
Super Champion
‎12-11-2013 04:19 PM

I would put it on the indexer in the splunk\etc\system\local\props.conf because it is easier to manage. However, it should also work in the apps \local\props.conf just as well.
If there are any props.conf files anywhere that have a stanza for [util] you need to make sure the settings don't conflict, and I'd restart both the forwarder and indexer splunkd service just to make sure everything is fresh.
Note: This change will only effect logs indexed after the restart.

0 Karma
Reply

xisura
Communicator
‎12-11-2013 04:09 PM

Hi @lukejadamec, should i change the props.conf inside the apps folder or the one inside the systems/local ?

0 Karma
Reply

lukejadamec
Super Champion
‎12-11-2013 03:16 PM

What is the sourcetype definition? Can you post the props.conf stanza for [util]?

0 Karma
Reply

xisura
Communicator
‎12-11-2013 02:43 PM

one event per log,i set the sourcetype as "util"

0 Karma
Reply

lukejadamec
Super Champion
‎12-11-2013 02:38 PM

Is this the expected entire log file, or one event from a log file?
What are you using as a sourcetype?

0 Karma
Reply

xisura
Communicator
‎12-11-2013 11:43 AM

Hi Here's the sample log

302051908 non-nice user cpu ticks
 67022224 nice user cpu ticks
474810206 system cpu ticks

7723346493 idle cpu ticks
10254021 IO-wait cpu ticks
21190725 IRQ cpu ticks
135816356 softirq cpu ticks
2438955853 interrupts
378813755 CPU context switches
1342633324 boot time
559999898 forks

it cuts here..it didnt index the data below:

DP:
2.13 : 29
3.9 : 29

DPwithFR:
2.2 : 28
2.3 : 30
2.4 : 28
2.5 : 32
2.6 : 30
2.7 : 32

0 Karma
Reply

somesoni2
Revered Legend
‎12-11-2013 06:29 AM

Any specific pattern for the missing entries?

0 Karma
Reply

HiroshiSatoh
Champion
‎12-11-2013 06:21 AM

specification of the log that you want to get the contents of the input.conf correct?

0 Karma
Reply

xisura
Communicator
‎12-11-2013 02:25 PM

hi , the path to specific log in input.conf is correct

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...