Getting Data In

Why are my Catalina logs not line breaking as expected when I set up a directory monitor in inputs.conf?

user12345a_2
Explorer

Hello,

I'm trying to get some Tomcat Catalina logs to import correctly. Manually importing the files works fine, but isn't an option beyond the test I'm running. So, when I select "Add Data" from main dashboard, select "upload files from my computer", select my file and choose the log file, set the sourcetype as "application->catalina" I get the expected results:

Splunk Result 1:

2016-08-12 11:51:21,391 INFO [org.jasig.inspektr.audit.Slf5jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ${ticket}
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Fri Aug 12 12:51:21 CDT 2016
CLIENT IP ADDRESS: 123.45.6.78
SERVER IP ADDRESS: myserver.mydomain.com
============================================================

host = indexer1 source = cas-81216.log sourcetype = catalina

However, when I set up a forwarder and set up my inputs.conf as follows:

[monitor://C:\test_dir\]
index=my_test_index
sourcetype=catalina (I've tried "Catalina", and leaving this line out as well, none produced the desired results)

Every line (including the ======='s) is a separate Splunk result.

Splunk Result 1:

2016-08-12 11:51:21,391 INFO [org.jasig.inspektr.audit.Slf5jLoggingAuditTrailManager] - Audit trail record BEGIN

Splunk Result 2:

=============================================================

...etc.

So how do I get my forwarded results to not break on each line?

Thank you in advance for any help.

0 Karma
1 Solution

user12345a_2
Explorer

So I tried multiple variations of the BREAK_ONLY_BEFORE variable and other props.conf settings with no effect. I ended up sending this to a friend who ran it through his VM lab and without any props.conf and it imported beautifully. I was using a Windows 7 UF client and switch to a *NIX UF client and it fixed the problem in my VM lab. Thanks for the help.

View solution in original post

0 Karma

user12345a_2
Explorer

So I tried multiple variations of the BREAK_ONLY_BEFORE variable and other props.conf settings with no effect. I ended up sending this to a friend who ran it through his VM lab and without any props.conf and it imported beautifully. I was using a Windows 7 UF client and switch to a *NIX UF client and it fixed the problem in my VM lab. Thanks for the help.

0 Karma

supabuck
Path Finder

Hello user12345a_2,

In order to accomplish this you will need to use a file called props.conf.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

Props.conf is used to manipulate how files are read by Splunk. So if you were to add a directive within props.conf such as

<catalina>
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE= (?m)^\={60}$
CHARSET=UTF-8
disabled=false

Where 'catalina' is the sourcetype and 'BREAK_ONLY_BEFORE= (?m)^={60}$' matches the second set of equal signs being that there are 60 for the multi-line event.

Within your monitor stanza in inputs.conf it would remain as you have it above:

[monitor://C:\test_dir\]
 index=my_test_index
 sourcetype=catalina

There are other things which can be done to clean it up thereafter but that should get you on the right path. Remember to test in a lab prior to applying to production. The props.conf must also be changed on a heavy forwarder which is configured to forward these logs to the indexer(s) or on the indexer(s) themselves. Unfortunately you cannot apply these types of rules to universal forwarders. Let me know if this works.

0 Karma

user12345a_2
Explorer

supabuck,

Thank you for the help. So is there anyway to make this work given that the server where these reside has a UF not a HF? Can the props.conf changes be made on the indexer?

Thank you.

0 Karma

supabuck
Path Finder

Yes, this change can be made to the indexer. If you have multiple indexers you would want to make sure it is changed on them all. Find the props.conf file which defines how this sourcetype is being interpreted and update it. Within Linux you can use the following command from the $SPLUNK_HOME directory.

find ./* -name props.conf | xargs grep -i catalina

In the case that you have the sourcetype of catalina defined extractions 🙂

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...