Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Logs not showing up

mahesh27
Communicator
‎09-10-2024 06:35 PM

Using below props, but we don't see logs reporting to Splunk,   We are assuming that | (pipe symbol) works as a delimiter and we cannot use it in props. 
Just want to know is this props are correct

[tools:logs]

SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}\-\d{2}\-\d{2}\s\|\d{2}:\d{2}:\d{2}.\d{3}\s\|
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d | %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD=28



Sample logs:

 

2022-02-22 | 04:00:34:909 | main stream logs
| Staticapp-1 - Restart completed
2022-02-22 | 05:00:34:909 | main stream applicationlogs
| Staticapp-1 - application logs (total=0, active=0, waiting=0) completed
2022-02-22 | 05:00:34:909 | main stream applicationlogs
| harikpool logs-1 - mainframe script (total=0, active=0, waiting=0) completed

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2024 11:50 PM

In your sample logs, it looks like you have a space after the first pipe which does not appear to be accounted for in your LINE_BREAKER pattern. Try something like this

LINE_BREAKER=([\r\n]+)\d{4}\-\d{2}\-\d{2}\s\|\s\d{2}:\d{2}:\d{2}.\d{3}\s\|
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-10-2024 11:13 PM

Hi @mahesh27 ,

two questions:

1)

do you see logs in a wrong format or don't you see logs?

in the first case, props.conf is relevant, in the second case, there's a different issue.

2)

if you see your logs in wrong format, I suppose that your logs are in one row (because you used SHOULD_LINEMERGE=false), so why are you using the LINE_BREAKER in that way?

See how to index csv files using pipe as delimiter.

My hint is to same some logs in a text file and try to ingest it using the manual Add logs feature, that guides you in props.conf definition and test.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...