Getting Data In

DBX: when is the line "dbx-end-of-event" printed?

micm
Explorer

I have a database input configured:

[dbmon-tail://spa/dwf_rdfdirector_r]
host = spa 
index = emc 
interval = auto
output.format = mkv 
output.timestamp = 1 
output.timestamp.column = createdate
output.timestamp.format = yyyy-MM-dd HH:mm:ss
output.timestamp.parse.format = yyyy-MM-dd HH:mm:ss
sourcetype = dwf_rdfdirector_r
table = dwf_rdfdirector_r
tail.rising.column = createdate

1) I suspect it is intentional that when the query is run and no new results are received an event like

---91827349873-dbx-end-of-event---

is indexed. Is there a config setting to prevent that?

2) Most of the other events that have new data have no dbx-end-of-event line at all and miss the last 15 columns as well. Sometimes I get the second part of the table with only the last 15 columns and the dbx-end-of-event line but without the first 25 and the timestamp. But that happens in less than 1/3 of the events. Any idea what is happening there?

The searches "Recent DB Connect errors" and "Recent Java Bridge errors" have no entries.

0 Karma
1 Solution

ziegfried
Influencer

Those lines are intended for marking the end of an event in order to force correct line breaking for multiline events. Unfortunately you have to specify those settings manually at the moment if you're using a custom sourcetype. The following props.conf stanza should apply the correct settings for your case:

[dwf_rdfdirector_r]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])

View solution in original post

spandal
New Member

I have a database input configured:
source="dbmon-tail://Sample_DB/sample1"
i/p type: Tail
Rising column: modified_date
Index: default
O/p format: Multi line key value format
o/p timestamp : Un checked
Interval : auto

and placed below lines in 'props.conf' file at below path "Splunk/etc/apps/search/local/" and also in "Splunk/etc/apps/search/default/"

[sample1]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])

but still getting o/p as below format""

modified_date=2013-02-16 02:32:13
track=US
cause=Task
closed_date=2013/02/16
area=TC Request
---91827349873-dbx-end-of-event---
entry_id=1234
assigned_id=ABCD
status=Closed

and also unable to retrieve 'create_date' column which is existing in DB

0 Karma

ziegfried
Influencer

Those lines are intended for marking the end of an event in order to force correct line breaking for multiline events. Unfortunately you have to specify those settings manually at the moment if you're using a custom sourcetype. The following props.conf stanza should apply the correct settings for your case:

[dwf_rdfdirector_r]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...