Why is regex working fine in standalone Splunk bu...

AK_Splunk · ‎12-09-2022

Regex working fine in standalone splunk but not in clustered environment.
1) Indexer conponent of app-->test_log_idx having the indexes.conf and props.conf kept at default directory with local directory empty is below.

[test:sanetiq:log]
CHARSET = AUTO
DATETIME_CONFIG =
EXTRACT-log_level = \[\d+\]\s(?P<log_level>[^\s]+)
EXTRACT-message = \]\s-\s(?P<message>.+)
EXTRACT-process_name = \[\d+\]\s.+\s\s(?P<process_name>.+)\s\[
EXTRACT-sanetiq_label_type = Label\sType\s=\s(?P<sanetiq_label_type>[^\s]+)
EXTRACT-sanetiq_mask_template = Mask\sTemplate\s=\s(?P<sanetiq_mask_template>[^\s]+)
EXTRACT-sanetiq_print_request_id = Print\sRequest\s=\s(?P<sanetiq_print_request_id>[^\s]+)
EXTRACT-sanetiq_printer_name = Printer\s=\s(?P<sanetiq_printer_name>[^\s]+)
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true

2) UF component of app-->deployed to UF is test_log_uf having inputs.conf placed in default and local directory is empty

[monitor://D:\Tab\Server\data\SanetiqLogger\*log*]

index=test_log_data
source=test:sanetiq:log

3) Search head component of app-->test_log_sh having same props.conf as mentioned above

Sample data
2022-12-09 16:02:04,304 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends
2022-12-09 16:02:04,040 [2452022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance
2022-12-09 16:02:04,038 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins
2022-12-09 16:02:04,037 [2452022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 30812
2022-12-09 16:02:04,035 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins
2022-12-09 16:02:04,030 [2452022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 30812
1 Labels printed
Printer = Zebra ZM400 (203 dpi)- ABCDB362
Mask Template = DI AMBRS-IDENT REGLEMENTEE
Label Type = DI IDENT REGLEMENTEE
2022-12-09 16:02:03,480 [2452022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855021
2022-12-09 16:01:56,936 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method ends
2022-12-09 16:01:56,928 [2452022120993750] INFO SanetiqLogger [(null)] - Codesoft Instance Created : PID - 30812
2022-12-09 16:01:52,127 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins
2022-12-09 16:01:50,708 [2452022120993750] INFO SanetiqLogger [(null)] - End of CheckIntegrity(string strUserMatricule)
2022-12-09 16:01:50,675 [2452022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule)
2022-12-09 16:01:50,670 [2452022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604231 printrequest 3855021
Imported Print Requests : 1
2022-12-09 15:56:27,266 [2412022120993750] INFO SanetiqLogger [(null)] - Imported Data Lines : 1
2022-12-09 15:56:23,731 [2412022120993750] INFO SanetiqLogger [(null)] - Data Import File E:\sanetiq\sanofi\etudes\ficentree\AMBXSQP\GPAO\TPSREEL\SANIDENT.1 correctly deleted
at Sanetiq.BusinessFramework.BusinessObjects.PrintModule.Loop()
at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.CheckIntegrity(String strUserMatricule)
2022-12-09 15:51:26,540 [2452022120993750] ERROR SanetiqLogger [(null)] - ERROR : at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.checkPrinterAndMaskTemplateCompatibility(Printer printer, MaskTemplate maskTemplate, String strUserMatricule)
2022-12-09 15:51:26,532 [2452022120993750] ERROR SanetiqLogger [(null)] - Service Print Error2 : PrintRequest ID=3855018, Error=LABEL_FORMAT_INCOMPATIBLE
2022-12-09 15:51:26,367 [2452022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule)
2022-12-09 15:51:26,363 [2452022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604228 printrequest 3855018
2022-12-09 15:48:58,989 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends
2022-12-09 15:48:58,736 [2262022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance
2022-12-09 15:48:58,732 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins
2022-12-09 15:48:58,728 [2262022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 4340
2022-12-09 15:48:58,724 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins
2022-12-09 15:48:58,717 [2262022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 1234
1 Labels printed
Printer = Zebra ZM400 (203 dpi) - BOX5
Mask Template = TICKET-PESEE-300
Label Type = Tickets BOX5
2022-12-09 15:48:58,152 [2262022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855017
2022-12-09 15:48:47,883 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method ends
2022-12-09 15:48:47,879 [2262022120993750] INFO SanetiqLogger [(null)] - Codesoft Instance Created : PID - 4340
2022-12-09 15:48:42,148 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins
2022-12-09 15:48:41,272 [2262022120993750] INFO SanetiqLogger [(null)] - End of CheckIntegrity(string strUserMatricule)
2022-12-09 15:48:41,211 [2262022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule)
2022-12-09 15:48:41,204 [2262022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1234567 printrequest 1234567
Imported Print Requests : 1
2022-12-09 15:48:40,389 [2222022120993750] INFO SanetiqLogger [(null)] - Imported Data Lines : 1
2022-12-09 15:48:40,276 [2222022120993750] INFO SanetiqLogger [(null)] - Data Import File E:\sanetiq\sanofi\etudes\ficentree\AMBXSQP\XFP\BOX5\ticpes correctly deleted
at Sanetiq.BusinessFramework.BusinessObjects.PrintModule.Loop()
at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.CheckIntegrity(String strUserMatricule)
2022-12-09 15:53:48,067 [2452022120993750] ERROR SanetiqLogger [(null)] - ERROR : at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.checkPrinterAndMaskTemplateCompatibility(Printer printer, MaskTemplate maskTemplate, String strUserMatricule)
2022-12-09 15:53:48,060 [2452022120993750] ERROR SanetiqLogger [(null)] - Service Print Error2 : PrintRequest ID=3855020, Error=LABEL_FORMAT_INCOMPATIBLE
2022-12-09 15:53:47,909 [2452022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule)
2022-12-09 15:53:47,905 [2452022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604230 printrequest 3855020
2022-12-09 15:52:20,553 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method ends
2022-12-09 15:52:20,548 [2262022120993750] INFO SanetiqLogger [(null)] - Codesoft Instance Created : PID - 1556
2022-12-09 15:52:16,395 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins
2022-12-09 15:52:15,859 [2262022120993750] INFO SanetiqLogger [(null)] - End of CheckIntegrity(string strUserMatricule)
2022-12-09 15:52:15,825 [2262022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule)
2022-12-09 15:52:15,822 [2262022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604229 printrequest 3855019
Imported Print Requests : 1
2022-12-09 15:52:14,912 [2222022120993750] INFO SanetiqLogger [(null)] - Imported Data Lines : 1
2022-12-09 15:52:14,847 [2222022120993750] INFO SanetiqLogger [(null)] - Data Import File E:\sanetiq\sanofi\etudes\ficentree\AMBXSQP\XFP\BOX5\ticpes correctly deleted
2022-12-09 15:52:30,245 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends
2022-12-09 15:52:29,871 [2262022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance
2022-12-09 15:52:29,866 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins
2022-12-09 15:52:29,861 [2262022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 1556
2022-12-09 15:52:29,855 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins
2022-12-09 15:52:29,848 [2262022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 1556
1 Labels printed
Printer = Zebra ZM400 (203 dpi) - BOX5
Mask Template = TICKET-PESEE-300
Label Type = Tickets BOX5
2022-12-09 15:52:29,213 [2262022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855019
2022-12-09 15:43:03,149 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends
2022-12-09 15:43:02,688 [2452022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance
2022-12-09 15:43:02,682 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins
2022-12-09 15:43:02,676 [2452022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 18592
2022-12-09 15:43:02,670 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins
2022-12-09 15:43:02,662 [2452022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 18592
1 Labels printed
Printer = ZEBRA 105S/Se - Fab Multi-produits - Vracs avec picto
Mask Template = SHP-END
Label Type = 01-Identification Vracs Int avec picto Multi-Pro
2022-12-09 15:43:00,828 [2452022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855015
1 Labels printed
Printer = L_LPAMB406
Mask Template = LUNA_AMB_PREL_AC_SEP
Label Type = Prélèvements AC Séparateur
2022-12-09 15:43:00,336 [2252022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855014
2022-12-09 15:42:58,512 [2452022120993750] INFO SanetiqLogger [(null)] - Print with Codesoft Instance PID : 18592
at Sanetiq.BusinessFramework.BusinessObjects.PrintModule.Loop()
at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.CheckIntegrity(String strUserMatricule)

PickleRick · ‎01-05-2023

Please include appropriate parts of your message as either preformatted style

like this

or code block

like this

It greatly improves readability.

AK_Splunk · ‎01-04-2023

Yeah! regex looks fine but is not working in clustered environment.

richgalloway · ‎01-05-2023

You said that before. Please elaborate. When you say the regex is not working fine in a clustered environment, what exactly does that mean? How do you know it's not working right? Does the problem exist on all cluster members or just some of them? Is the props.conf file distributed to all cluster members?

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎12-09-2022

There are seven regular expressions in the OP. Which one is not working?

When you say the regex is not working fine in a clustered environment, what exactly do you mean? How do you know it's not working right? Does the problem exist on all cluster members or just some of them? Is the props.conf file distributed to all cluster members?

---
If this reply helps you, Karma would be appreciated.

AK_Splunk · ‎12-22-2022

Hi Thanks for your response. The regex for log_level is not working fine. I have applied the regex in props.conf for field extracction. When I pushed this ap p in clustered environment ie. inputs.conf in the uf component, props.conf and indexes.conf in the indexers. I am not getting the exact fields in the splunk data.

richgalloway · ‎12-24-2022

How does the log_level extraction not work as expected? The regex appears to work find in regex101.com with the sample data. What exact fields do you expect to get?

---
If this reply helps you, Karma would be appreciated.

Why is regex working fine in standalone Splunk but not in clustered environment?

indexer

inputs.conf

props.conf

universal forwarder

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector