Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Line breaking issues with source that is not in index

jihape
Path Finder
‎04-09-2018 08:21 PM

I have a strange issue where I get lots of line breaking errors about a particular file, but I can't find the file in any of my indexes.

04-10-2018 13:12:54.887 +1000 WARN  AggregatorMiningProcessor - Changing breaking behavior for event stream because MAX_EVENTS (256) was exceeded without a single event break. Will set BREAK_ONLY_BEFORE_DATE to False, and unset any MUST_NOT_BREAK_BEFORE or MUST_NOT_BREAK_AFTER rules. Typically this will amount to treating this data as single-line only. - data_source="/opt/local/sys/iw-home/OpenDeployNG/etc/deploy.cfg", data_host="itsun12", data_sourcetype="xxxxxx_appmon_prod"

When I try to find the offending events I don't see anything for that source.

index=* host=* source=/opt/local/sys/iw-home/OpenDeployNG/etc/deploy.cfg

Has anyone seen this before?

0 Karma
Reply

FrankVl
Ultra Champion
‎04-12-2018 12:09 AM

What timerange did you search for? If the linebreaking fails this badly, I wouldn't be surprised if timestamping might also be broken, causing those events to show up on a different place on the timeline as where you may expect them based on when the error occurred. Alternatively, you could run a | metadata type=sources search over all time and see if the troubled source shows up in there.

But rather than trying to find this data in Splunk, I would use the information in the error message to track down the datasource, the forwarder that is sending this data and the relevant inputs, props and transforms that are getting applied. So you can check whether that config makes sense for that source file. The filename located in etc/ and ending in .cfg sounds like a config file. Not typically something you ingest into splunk; especially with BREAK_ONLY_BEFORE_DATE=true as I've never seen a config file that has dates before each line or so...

0 Karma
Reply

eylonronen
Explorer
‎04-09-2018 09:31 PM

You may want to be more specific about the index in your search. It happens quite often to me that when I search index=* and than filter by source I dont get result but when i search index= source=, i get results. Probebly splunk is doing some optimizations to the search process and when you have a lot of data it doesnt want to go over all of it if not necsessery.

0 Karma
Reply

jihape
Path Finder
‎04-11-2018 11:32 PM

Didn't get me any closer to finding them 😕 Splunk won't search without anything set after the '=' symbol.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...