Archive

Index not getting the whole log

Communicator

Hi Everyone,

I have a problem in indexing of logs. After i search by the source i found out that its not getting the whole content of the log file sample search => index="test" source="sourcepath".
I checked the raw log its complete but in splunk it shows incomplete logs.
Please help how can i fix this?

Thanks,
xisura

Tags (2)
0 Karma

Super Champion

If I was Splunk, this log file would give me a headache. There is no timestamp, the values come before the field sometimes and after the field name other times. However, I am not Splunk.

Regardless, I am new, so what I would do is just index the entire file as raw data and pull out what I wanted from the data with search time field extractions using rex or regex.

To index the entire file without regard to field value content you will need to create a props.conf stanza that never line breaks like this:

props.conf

[util]
SHOULD_LINEMERGE=false
LINE_BREAKER=(?=!)
TRUNCATE=1000000

Reference: Old Folks et.al:

http://answers.splunk.com/answers/11566/how-can-i-index-config-files-and-text-documents-as-individua...

0 Karma

Communicator

ok , i'll keep you updated thanks for helping me 🙂

0 Karma

Super Champion

Try adding DATETIME_CONFIG = NONE to the props.conf config, and remember this will only affect newly indexed logs after a restart.

For reference:
Set DATETIME_CONFIG = NONE to prevent the timestamp processor from running. When timestamp processing is off, Splunk does not look at the text of the event for the timestamp--it instead uses the event's "time of receipt"; in other words, the time the event is received via its input. For file-based inputs, this means that Splunk derives the event timestamp from the modification time of the input file.

0 Karma

Communicator

I tried searching this sourcetype="util" "DPwithFR:" , set the time to all time, it shows it but the time is "July 19,2013"
I suspect that its not getting the right time so i tried to convert the boot time which is in epoch time to standard time and it shows July 19,2013. Theres no latest data that shows that part , i also checked the raw logs and its there. I dont know why splunk didnt index that part.

1342633324 boot time
565898104 forks
DP:
2.13 : 34
3.9 : 33
DPwithFR:
2.2 : 37
2.3 : 35
2.4 : 36
2.5 : 36
2.6 : 35
2.7 : 35
2.8 : 38

0 Karma

Communicator

I already edit the props.conf and restart the indexer and the forwarder still it didnt show that part.

0 Karma

Super Champion

Here is a good read for answering questions regarding where to put/find which config:

http://docs.splunk.com/Documentation/Splunk/6.0/admin/Wheretofindtheconfigurationfiles

0 Karma

Super Champion

I would put it on the indexer in the splunk\etc\system\local\props.conf because it is easier to manage. However, it should also work in the apps \local\props.conf just as well.
If there are any props.conf files anywhere that have a stanza for [util] you need to make sure the settings don't conflict, and I'd restart both the forwarder and indexer splunkd service just to make sure everything is fresh.
Note: This change will only effect logs indexed after the restart.

0 Karma

Communicator

Hi @lukejadamec, should i change the props.conf inside the apps folder or the one inside the systems/local ?

0 Karma

Super Champion

What is the sourcetype definition? Can you post the props.conf stanza for [util]?

0 Karma

Communicator

one event per log,i set the sourcetype as "util"

0 Karma

Super Champion

Is this the expected entire log file, or one event from a log file?
What are you using as a sourcetype?

0 Karma

Communicator

Hi Here's the sample log

302051908 non-nice user cpu ticks
 67022224 nice user cpu ticks
474810206 system cpu ticks

7723346493 idle cpu ticks
10254021 IO-wait cpu ticks
21190725 IRQ cpu ticks
135816356 softirq cpu ticks
2438955853 interrupts
378813755 CPU context switches
1342633324 boot time
559999898 forks

it cuts here..it didnt index the data below:

DP:
2.13 : 29
3.9 : 29

DPwithFR:
2.2 : 28
2.3 : 30
2.4 : 28
2.5 : 32
2.6 : 30
2.7 : 32

0 Karma

SplunkTrust
SplunkTrust

Any specific pattern for the missing entries?

0 Karma

Champion

specification of the log that you want to get the contents of the input.conf correct?

0 Karma

Communicator

hi , the path to specific log in input.conf is correct

0 Karma