Getting Data In
Highlighted

How to edit my props.conf to forward Matlab Crash Dump?

Engager

I'm getting an intermittent issue that I suspect is related to file IO, not Matlab. I want to forward all the crashdumps so that maybe I can identify a pattern. My problem is that splunk is truncating the log at line 12 because of the second timestamp included in the Operating system version. I haven't had luck with the suggestions on the forums with settings in a props.conf file. Can anyone suggest a configuration that will work here?

example log (not mine, but always follows this form):

------------------------------------------------------------------------
       Segmentation violation detected at Wed Mar 23 15:52:27 2016
------------------------------------------------------------------------
Configuration:
  Crash Decoding     : Disabled
  Current Visual     : None
  Default Encoding   : UTF-8
  GNU C Library      : 2.21 stable
  MATLAB Architecture: glnxa64
  MATLAB Root        : /usr/local/MATLAB/R2014b
  MATLAB Version     : 8.4.0.150421 (R2014b)
  Operating System   : Linux 4.2.0-34-generic #39-Ubuntu SMP Thu Mar 10 22:13:01 UTC 2016 x86_64
  Processor ID       : x86 Family 6 Model 15 Stepping 11, GenuineIntel
  Virtual Machine    : Java 1.7.0_11-b21 with Oracle Corporation Java HotSpot(TM) 64-Bit Server VM mixed mode
  Window System      : No active display
Fault Count: 1
Abnormal termination:
Segmentation violation
Register State (from fault):
  RAX = 0000000000000000  RBX = 00007fdb91e76808
  RCX = 0000000000000000  RDX = 0000000000000003
  RSP = 00007fdc29c88ae0  RBP = 00007fdc29c88c00
  RSI = 0000000000000000  RDI = 00007fdb91e729e8
     R8 = 0000000000000018   R9 = 0000000000000000
    R10 = 00007fdb91e72000  R11 = 00007fdb91e77450
    R12 = 00007fdb92092f80  R13 = 0000000000000006
    R14 = 00007fdb91e73cc0  R15 = 00007fdbb84c5bc0
    RIP = 00007fdc40a3190a  EFL = 0000000000010206
     CS = 0033   FS = 0000   GS = 0000
Stack Trace (from fault):
[  0] 0x00007fdc40a3190a                        /lib64/ld-linux-x86-64.so.2+00051466
[  1] 0x00007fdc40a3a501                        /lib64/ld-linux-x86-64.so.2+00087297
[  2] 0x00007fdc40a354b4                        /lib64/ld-linux-x86-64.so.2+00066740
[  3] 0x00007fdc40a399f3                        /lib64/ld-linux-x86-64.so.2+00084467
[  4] 0x00007fdc3d2b6fc9                   /lib/x86_64-linux-gnu/libdl.so.2+00004041
[  5] 0x00007fdc40a354b4                        /lib64/ld-linux-x86-64.so.2+00066740
[  6] 0x00007fdc3d2b762d                   /lib/x86_64-linux-gnu/libdl.so.2+00005677
Tags (1)
0 Karma
Highlighted

Re: How to edit my props.conf to forward Matlab Crash Dump?

SplunkTrust
SplunkTrust

Give this a try

props.conf on Indexer/Heavy forwarder

[ <SOURCETYPE NAME> ]
SHOULD_LINEMERGE=false
disabled=false
LINE_BREAKER=(-+[\r\n]+)(?=\s+\S+.+\w+\s\d{2}\s\d{2}:\d{2}:\d{2} \d{4})
TIME_FORMAT=%b %d %H:%M:%S %Y
TIME_PREFIX=at\s+\w+\s
MAX_TIMESTAMP_LOOKAHEAD=20

View solution in original post