- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Log file looks like below. In this log file two ev...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log file looks like below. In this log file two events are there and remaining stack trace. Need to group these two events. For each error starts with extra time stamp "06:45:00,186". How do we set values in Splunk prop file. Thanks in advance.
FINEST|3016/0|16-11-03 06:45:00|06:45:00,186 ERROR [SecurityManagerAudit] [Overall test] [134981.test] .getGebruiker() nl.allshare.securitymanager.exceptions.SecurityManagerException: *** XMLSecurityMetaInfoService Exception voor Gebruiker: ADPNL00007821 >>
FINEST|3016/0|16-11-03 06:45:00| at nl.allshare.securitymanager.manager.modules.XMLSecurityMetaInfoService.getGebruiker(XMLSecurityMetaInfoService.java:89)
FINEST|3016/0|16-11-03 06:45:00| at nl.allshare.securitymanager.manager.modules.XMLSecurityMetaInfoService.getGebruiker(XMLSecurityMetaInfoService.java:69)
FINEST|3016/0|16-11-03 06:45:00| ... 22 more
FINEST|3016/0|16-11-03 06:45:00|
FINEST|3016/0|16-11-03 06:47:00|06:46:12,189 ERROR [testing] [Overall test] [134985.test] .getGebruiker() nl.allshare.securitymanager.exceptions.SecurityManagerException: *** XMLSecurityMetaInfoService Exception voor >>
FINEST|3016/0|16-11-03 06:47:00| at nl.allshare.securitymanager.manager.modules.XMLSecurityMetaInfoService.getGebruiker(XMLSecurityMetaInfoService.java:89)
FINEST|3016/0|16-11-03 06:47:00| at nl.allshare.securitymanager.manager.utils.SecurityManager.getNotCachedGebruiker(SecurityManager.java:1369)
FINEST|3016/0|16-11-03 06:47:00| ... 22 more
FINEST|3016/0|16-11-03 06:47:00|
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the below settings for your sourcetype in props.conf -
[my_sourcetype]
TIME_PREFIX =^(?=([^\|]+\|){3})
TIME_FORMAT = %T,%3N
MAX_TIMESTAMP_LOOKAHEAD = 25
LINE_BREAKER = ([\n\r]+)(?=([^\|]+\|){3}(\d{2}\:){2}\d{2}\,\d{3}\s+)
SHOULD_LINEMERGE = False
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition to above, I have tried with below settings in splunk Prop file. But still it doesn't group the events with stacktrace.
[log4j]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
BREAK_ONLY_BEFORE = [.?] [.?] [.?] [.?] (.*?)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please help us?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
