- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Multiline file, indexes every line
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have a log file that mainly contains one liners, but the errors that are logged comes as multiple lines and are indexed as "one line, one event", and I do want the complete error message to be logged as one event.
I have seen several solutions to this probem already, but have yet to get it to work.
Can I get a little helt to get my props.conf in order?
This is a sample from my log file, and at the bottom is my props.conf
2015-05-05 08:58:39,036 [7] DEBUG [(null)] - WebMethod InsertNIRData initializing
2015-05-05 08:58:39,037 [7] DEBUG [(null)] - WebMethod HandleExceptionResponse finalizing
2015-05-05 08:58:39,038 [7] ERROR [(null)] - Exception caught
System.Exception
Tilgang til operasjon \"InsertNIRData\" er blokkert av IMDI inntil videre.
at NIRWebServices.NIRWebServices.InitWebMethodInvoked(WSResponse wsResponse, Object[] wsParams, String memberName)
at NIRWebServices.NIRWebServices.InsertNIRData(UploadSchema uploadSchema)
System.Exception: Tilgang til operasjon \"InsertNIRData\" er blokkert av IMDI inntil videre.
at NIRWebServices.NIRWebServices.InitWebMethodInvoked(WSResponse wsResponse, Object[] wsParams, String memberName)
at NIRWebServices.NIRWebServices.InsertNIRData(UploadSchema uploadSchema)
2015-05-05 09:01:23,649 [19] DEBUG [(null)] - WebMethod GetAllInfoForPersonWithDufnr initializing
2015-05-05 09:01:23,717 [19] DEBUG [(null)] - WcfClientProxy executed successfully!
2015-05-05 09:01:26,729 [19] DEBUG [(null)] - WcfClientProxy executed successfully!
2015-05-05 09:01:39,323 [19] DEBUG [(null)] - WebMethod GetAllInfoForPersonWithDufnr initializing
the props.conf file
[im-app3-file]
BREAK_ONLY_BEFORE=\d{4}-\d{2}-\d{2}
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_FORMAT=%Y-%d-%m %H:%M:%S,%3Q
Also, what is realy suposed to be within the brackets in the props.conf file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are multiple things that can be in between the brackets but the only thing that can be without any other syntax (prefix) is a sourcetype. So the first question is, is "im-app3-file" your sourcetype (check your inputs.conf file)? You should be fine if you minimize all of your settings reducing down to only the ones you KNOW you need (e.g. get rid of "BREAK_ONLY_BEFORE") and then put this in your props.conf stanza:
BREAK_ONLY_BEFORE_DATE = False
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are multiple things that can be in between the brackets but the only thing that can be without any other syntax (prefix) is a sourcetype. So the first question is, is "im-app3-file" your sourcetype (check your inputs.conf file)? You should be fine if you minimize all of your settings reducing down to only the ones you KNOW you need (e.g. get rid of "BREAK_ONLY_BEFORE") and then put this in your props.conf stanza:
BREAK_ONLY_BEFORE_DATE = False
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, the problem turned out to be the sourcetype declaration that was missing from input.confs. After i added it inside splunk, and rewrote the props.config it now works like it should. Thank you 🙂
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
