Getting Data In

Splunk Hadoop Logs Parsing

don12
New Member

Hello Guys,

Am having with hadoop logs that is not properly parsed when I use the sourcetype:linux_secure or access_combined. I have gone through the splunk documentation and hadoop docs to see if there is a way for me to parse the logs properly but not seeing anything of help.

I would be really glad if someone can point me in the right direction.

Sample Logs below:

... 10 more
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:326) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
Caused by: org.apache.thrift.transport.TSaslTransportException: No data or no sasl data in the stream
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_181]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_181]
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) [hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:649) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1855) ~[hadoop-common-3.0.0-cdh6.3.0.jar:?]
at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_181]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_181]
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:649) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:652) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
java.lang.RuntimeException: org.apache.thrift.transport.TSaslTransportException: No data or no sasl data in the stream
2021-04-20 12:34:21,906 ERROR org.apache.thrift.server.TThreadPoolServer: [HiveServer2-Handler-Pool: Thread-56]: Error occurred during processing of message.
... 10 more
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:326) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
Caused by: org.apache.thrift.transport.TSaslTransportException: No data or no sasl data in the stream
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_181]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_181]
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) [hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:649) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1855) ~[hadoop-common-3.0.0-cdh6.3.0.jar:?]
at javax.security.auth.Subject.doAs(Subject.java:360) ~[?:1.8.0_181]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_181]
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:649) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:652) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) ~[hive-exec-2.1.1-cdh6.3.0.jar:2.1.1-cdh6.3.0]
java.lang.RuntimeException: org.apache.thrift.transport.TSaslTransportException: No data or no sasl data in the stream
2021-04-20 12:34:21,905 ERROR org.apache.thrift.server.TThreadPoolServer: [HiveServer2-Handler-Pool: Thread-56]: Error occurred during processing of message.
2021-04-20 12:34:21,887 INFO org.apache.hadoop.hive.ql.session.SessionState: [a11894f3-4ce4-478a-a11a-8fa624429f33 HiveServer2-Handler-Pool: Thread-6527170]: Resetting thread name to HiveServer2-Handler-Pool: Thread-6527170
2021-04-20 12:34:21,887 INFO org.apache.hadoop.hive.conf.HiveConf: [a11894f3-4ce4-478a-a11a-8fa624429f33 HiveServer2-Handler-Pool: Thread-6527170]: Using the default value passed in for log id: a11894f3-4ce4-478a-a11a-8fa624429f33
2021-04-20 12:34:21,884 INFO org.apache.hadoop.hive.ql.session.SessionState: [HiveServer2-Handler-Pool: Thread-6527170]: Updating thread name to a11894f3-4ce4-478a-a11a-8fa624429f33 HiveServer2-Handler-Pool: Thread-6527170
2021-04-20 12:34:21,884 INFO org.apache.hadoop.hive.conf.HiveConf: [HiveServer2-Handler-Pool: Thread-6527170]: Using the default value passed in for log id: a11894f3-4ce4-478a-a11a-8fa624429f33
... 10 more

Labels (2)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @don12 

Following config would work for above logs format, copy this to props.conf file to either HF/indexer layer under /opt/splunk/etc/apps/<app_name>/local (or)  /opt/splunk/etc/system/local followed by a restart. 

[hadoop_logs]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3Q

----------------------------------------------------

An upvote would be appreciated if it helps!

0 Karma

don12
New Member

Hello,

 

I tried pushing the props.conf changes to all the indexes but I am not seeing any changes. I still see something like this below:

 

... 10 more

 

Thank you so much for your help.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...