FINEST|3016/0|16-11-03 06:45:00|06:45:00,186 ERROR [SecurityManagerAudit] [Overall test] [134981.test] .getGebruiker() nl.allshare.securitymanager.exceptions.SecurityManagerException: *** XMLSecurityMetaInfoService Exception voor Gebruiker: ADPNL00007821 >>
FINEST|3016/0|16-11-03 06:45:00| at nl.allshare.securitymanager.manager.modules.XMLSecurityMetaInfoService.getGebruiker(XMLSecurityMetaInfoService.java:89)
FINEST|3016/0|16-11-03 06:45:00| at nl.allshare.securitymanager.manager.modules.XMLSecurityMetaInfoService.getGebruiker(XMLSecurityMetaInfoService.java:69)
FINEST|3016/0|16-11-03 06:45:00| ... 22 more
FINEST|3016/0|16-11-03 06:45:00|
FINEST|3016/0|16-11-03 06:47:00|06:46:12,189 ERROR [testing] [Overall test] [134985.test] .getGebruiker() nl.allshare.securitymanager.exceptions.SecurityManagerException: *** XMLSecurityMetaInfoService Exception voor >>
FINEST|3016/0|16-11-03 06:47:00| at nl.allshare.securitymanager.manager.modules.XMLSecurityMetaInfoService.getGebruiker(XMLSecurityMetaInfoService.java:89)
FINEST|3016/0|16-11-03 06:47:00| at nl.allshare.securitymanager.manager.utils.SecurityManager.getNotCachedGebruiker(SecurityManager.java:1369)
FINEST|3016/0|16-11-03 06:47:00| ... 22 more
FINEST|3016/0|16-11-03 06:47:00|
Try the below settings for your sourcetype in props.conf -
[my_sourcetype]
TIME_PREFIX =^(?=([^\|]+\|){3})
TIME_FORMAT = %T,%3N
MAX_TIMESTAMP_LOOKAHEAD = 25
LINE_BREAKER = ([\n\r]+)(?=([^\|]+\|){3}(\d{2}\:){2}\d{2}\,\d{3}\s+)
SHOULD_LINEMERGE = False
In addition to above, I have tried with below settings in splunk Prop file. But still it doesn't group the events with stacktrace.
[log4j]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
BREAK_ONLY_BEFORE = [.?] [.?] [.?] [.?] (.*?)
Could you please help us?