Getting Data In

Dynamic Line Merging Based on Event Type

jchensor
Communicator

I'm parsing an MSSQL Error Log file, and it has several different event types in the log. There are "Server" events, "Logon" events, "Backup" events, and so on and so forth.

Most of these are single line events. However, if you look at the way the Logon lines are constructed, they always generate two lines that are related to each other. Here's an example:

2011-04-27 16:43:46.23 Server      Server is listening on [ 127.0.0.1 <ipv4> 1434].
2011-04-27 16:43:46.23 Server      Dedicated admin connection support was established for listening locally on port 1434.
2011-04-27 16:43:46.25 Logon       Error: 17187, Severity: 16, State: 1.
2011-04-27 16:43:46.25 Logon       SQL Server is not ready to accept new client connections. Wait a few minutes before trying again. If you have access to the error log, look for the informational message that indicates that SQL Server is ready before trying to connect again.  [CLIENT: 98.76.54.32]
2011-04-27 16:43:46.62 Logon       Error: 18456, Severity: 14, State: 16.
2011-04-27 16:43:46.62 Logon       Login failed for user 'user_name'. [CLIENT: 12.34.56.78]
2011-04-27 16:43:46.82 spid11s     The Service Broker protocol transport is disabled or not configured.
2011-04-27 16:43:46.82 spid11s     The Database Mirroring protocol transport is disabled or not configured.

You can see that the "Server" lines are single lined events. The two "spid" lines are also separate events. But the four "Logon" lines are distinctly TWO events, each spanning across two lines (the first line with the Error, Severity, and State and the second with the message along with the IP address).

Now, I've written it up so the different event types get qualified as different sourcetypes. So then, after I assign sourcetypes to them, such as "server", "backup", or "logon", I pass the events to stanzas dedicated to each sourcetype. In the stanza for the "logon" sourcetype in my props.conf, I add the LINE_BREAKER information there to only break at "\]([\r\n]+)" But by then, it's too late... in the transforms that assign the sourcetype, the lines are already divided up. And then I thought about it, the info that gets passed into TRANSFORMS- are already separated into separate events, so it seems like this won't work no matter how I configure it or time it. The LINE_BREAKER options seem to only allow me to do it one way or the other for the whole file, and not be dynamic based on the event type I run into.

So I came up with a second idea. Is there a way to request the NEXT event while working with one event so I could essentially concat the two events together? So if I detect that I am a "Logon" line, I can grab the next line automatically and paste the lines together, so I can add them into the Splunk database as one event. I know there are a lot of assumptions made by auto-concatenating two lines like this, but that's okay. Is this possible at all?

Or does anyone have any alternate solutions for me they can think of?

Thanks for those who have sat and read through this post! ^_^

  • James
1 Solution

jchensor
Communicator

So what I ended up doing was using the "MUST_NOT_BREAK_AFTER" and "MUST_BREAK_AFTER" options to get it to work. So if I find a line with "Logon" that has Error, Severity, and State, it triggers the "MUST_NOT_BREAK_AFTER" and then will break once again after it finds a line with "Logon" in it that ends with a "[CLIENT: x.x.x.x]".

And that seemed to do the trick!

  • James

View solution in original post

jchensor
Communicator

So what I ended up doing was using the "MUST_NOT_BREAK_AFTER" and "MUST_BREAK_AFTER" options to get it to work. So if I find a line with "Logon" that has Error, Severity, and State, it triggers the "MUST_NOT_BREAK_AFTER" and then will break once again after it finds a line with "Logon" in it that ends with a "[CLIENT: x.x.x.x]".

And that seemed to do the trick!

  • James

wrangler2x
Motivator

I am having this exact problem. I wonder if you could share your actual conf things that you added to deal with this. It'd save me a lot of work.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...