Archive

splunkd error

Champion

Hi,

I'm getting the following error in my splunkd.log, and I can't determine where the issue is. Hoping someone can help me...

The error is:

04-22-2013 14:45:41.122 -0400 ERROR DatetimeInitUtils - Invalid regex ^[ -- Regex: missing terminating ] for character class - data_source="F:\IBM\Lotus\Domino\Trace\UserInfoSA_130419_2323_0.txt", data_host="blahblahblah", data_sourcetype="STCommunityTraceLogs_user"

My inputs.conf is:

[monitor://F:\IBM\Lotus\Domino\Trace\User*.txt]
sourcetype = STCommunityTraceLogs_user
index = euc_sametimedata
disabled = false
followTail = 0
crcSalt =

and my props.conf is:

[STCommunityTraceLogs_user]
TIME_FORMAT = %H:%M:%S.%3N | %d.%m.%Y
MAX_TIMESTAMP_LOOKAHEAD = 55
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_PREFIX = ^[

Here's some sample lines...
[ 14:38:32.235 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : Initializing UserInfo SA
[ 14:38:32.329 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : openning storage 0 for storage type LDAP
[ 14:38:32.329 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : openning provider host=fidvirtualdir-qa.fmr.com port=2491(&(objectclass=FidelityPerson)(|(mail=%s)(cn=%s)(uid=%s))) storage num=0
[ 14:38:32.329 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : opening detail id=MailAddress type=text/plain fieldName=Mail storage num=0
[ 14:38:32.329 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : opening detail id=Name type=text/plain fieldName=cn storage num=0
[ 14:38:32.329 | 24.01.2013 | INFO | main ] : UserInfoLogger : info : opening detail id=Title type=text/plain fieldName=title st

Tags (1)
0 Karma

Ultra Champion

Yes, you'll need to escape the square bracket in TIME_PREFIX. Otherwise Splunks regex engine will see the as the start of a character class.

So;

TIME_PREFIX=^\[

Also, if you need the crcSalt, I believe that it should be in uppercase; <SOURCE>

/K

Champion

Thanks, appeared to work.

0 Karma