Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why does Splunk sometimes insert the a blank line in forwarded log4net logs?

rajeevmcaiomedi
New Member
‎02-10-2015 09:55 PM

I have the following log punch by log4net

DATE   :   02-10-2015 05:06:37
URL    :   http://localhost/229/processType/BY
TYPE   :   ERROR 
DETAILS:
System.Exception: Max TM connection failed, StatusCode:Accepted ,MaxAttempt:21

But by using forwarder i am getting the following log punch on indexer

DATE   :   02-10-2015 05:06:37
URL    :   http://localhost/229/processType/BY
TYPE   :   ERROR 
DETAILS:

System.Exception: Max TM connection failed, StatusCode:Accepted ,MaxAttempt:21

one extra space is included under Details which search does not process for "Max TM connection failed". and no line break i.e ------------
included in the indexer log. This is happening on some events, not all events.

Can you please let me know why this issue arises and what is the workaround for this?

0 Karma
Reply

lmyrefelt
Builder
‎02-11-2015 11:33 AM

You could open your look file (the source) in some good text-editor like notepad++ and check for line breaks , character returns and other "hidden" stuff , to make sure the source is not appending anything Splunk breaks or splits events on .. i have not seen splunk adding stuff by it selfs

0 Karma
Reply

lmyrefelt
Builder
‎02-11-2015 11:31 AM

Hi,

I would have tried to configure LINE_BREAKER in props.conf for the source type . I have earlier had success with this in similar events / problems. By configure the line_breaker you say to splunk not break your events on standard new-line, break och what ever ... which might be the case.

example
LINE_BREAKER = ([\r\n]+)DATE\s++:\s++\d{2}-\d{2}-\d{4}

LINE_BREAKER = ([\r\n]+)DATE\s++\:\s++\d{2}\-\d{2}\-\d{4}
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...