Splunk Search

Event Breaks with FlexLM Licenses not ingesting consistently

sirkgm14vg
Explorer

I'm individually bringing in FlexLM files into Splunk, but alas, some of them are not parsing correctly. Some are fine, and what makes them unique is the timestamping.

The log file inserts timestamps without dates per line, but uses a timestamp with data to show the date, and each event on that date. It appears some of the FlexLM files are captured correctly. And some are not. Example.

        Timestamp   Event
1   3/4/14 12:58:59.000 PM  
12:58:59 (lmgrd) -----------------------------------------------
12:58:59 (lmgrd)   Please Note:
12:58:59 (lmgrd) 
12:58:59 (lmgrd)   This log is intended for debug purposes only.
12:58:59 (lmgrd)   In order to capture accurate license
12:58:59 (lmgrd)   usage data into an organized repository,
12:58:59 (lmgrd)   please enable report logging. Use Macrovision's
12:58:59 (lmgrd)   software license administration  solution,
12:58:59 (lmgrd)   FLEXnet Manager, to  readily gain visibility
12:58:59 (lmgrd)   into license usage data and to create
12:58:59 (lmgrd)   insightful reports on critical information like
12:58:59 (lmgrd)   license availability and usage. FLEXnet Manager
12:58:59 (lmgrd)   can be fully automated to run these reports on
12:58:59 (lmgrd)   schedule and can be used to track license
12:58:59 (lmgrd)   servers and usage across a heterogeneous
12:58:59 (lmgrd)   network of servers including Windows NT, Linux
12:58:59 (lmgrd)   and UNIX. Contact Macrovision at
12:58:59 (lmgrd)   www.macrovision.com for more details on how to
12:58:59 (lmgrd)   obtain an evaluation copy of FLEXnet Manager
12:58:59 (lmgrd)   for your enterprise.
12:58:59 (lmgrd) 
12:58:59 (lmgrd) -----------------------------------------------
12:58:59 (lmgrd) 
12:58:59 (lmgrd) 
2   1/20/11 12:58:59.000 PM 
12:58:59 (lmgrd) FLEXnet Licensing (v10.8.0.7 build 26147) started on warehouse (linux) (1/20/2011)
12:58:59 (lmgrd) Copyright (c) 1988-2006 Macrovision Europe Ltd. and/or Macrovision Corporation. All Rights Reserved.

This is even better example

24  1/25/11 7:00:51.000 PM  
19:00:51 (lmgrd) TIMESTAMP 1/25/2011
25  1/26/11 1:00:51.000 AM  
 1:00:51 (lmgrd) TIMESTAMP 1/26/2011
26  1/26/11 7:00:51.000 AM  
 7:00:51 (lmgrd) TIMESTAMP 1/26/2011
27  1/26/11 1:00:51.000 PM  
13:00:51 (lmgrd) TIMESTAMP 1/26/2011
17:39:41 (toolworks) OUT: "TotalView_Team" Jeffrey.Durachta@an006  
17:43:40 (toolworks) IN: "TotalView_Team" Jeffrey.Durachta@an006  
28  1/26/11 7:00:51.000 PM  
19:00:51 (lmgrd) TIMESTAMP 1/26/2011
29  1/27/11 1:00:51.000 AM  
 1:00:51 (lmgrd) TIMESTAMP 1/27/2011
30  1/27/11 7:00:51.000 AM  
 7:00:51 (lmgrd) TIMESTAMP 1/27/2011
31  1/27/11 1:00:51.000 PM  
13:00:51 (lmgrd) TIMESTAMP 1/27/2011
13:01:47 (toolworks) OUT: "TotalView_Team" mjn@mjn  
13:04:57 (toolworks) IN: "TotalView_Team" mjn@mjn  
13:05:15 (toolworks) OUT: "TotalView_Team" mjn@mjn  
13:07:50 (toolworks) IN: "TotalView_Team" mjn@mjn  
13:08:21 (toolworks) OUT: "TotalView_Team" mjn@mjn  
13:09:42 (toolworks) IN: "TotalView_Team" mjn@mjn  
13:32:19 (toolworks) OUT: "TotalView_Team" mjn@mjn  
13:32:26 (toolworks) IN: "TotalView_Team" mjn@mjn  
32  1/27/11 7:00:51.000 PM  
19:00:51 (lmgrd) TIMESTAMP 1/27/2011
33  1/28/11 1:00:51.000 AM  
 1:00:51 (lmgrd) TIMESTAMP 1/28/2011
34  1/28/11 7:00:51.000 AM  
 7:00:51 (lmgrd) TIMESTAMP 1/28/2011
35  1/28/11 1:00:51.000 PM  
13:00:51 (lmgrd) TIMESTAMP 1/28/2011
13:07:35 (toolworks) OUT: "TotalView_Team" Peter.Phillipps@an003  
13:57:12 (toolworks) IN: "TotalView_Team" Peter.Phillipps@an003 

However in my other log is PGI (not working):

2   3/5/14 12:58:02.000 PM  
12:58:02 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
3   3/5/14 12:58:02.000 PM  
12:58:02 (pgroupd) IN: "pgf90-linux86" gkv@class07  
4   3/5/14 12:58:02.000 PM  
12:58:02 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
5   3/5/14 12:58:02.000 PM  
12:58:02 (pgroupd) IN: "pgf90-linux86" gkv@class07  
6   3/5/14 12:59:26.000 PM  
12:59:26 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
7   3/5/14 12:59:26.000 PM  
12:59:26 (pgroupd) IN: "pgf90-linux86" gkv@class07  
8   3/5/14 12:59:26.000 PM  
12:59:26 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
9   3/5/14 12:59:26.000 PM  
12:59:26 (pgroupd) IN: "pgf90-linux86" gkv@class07  
10  3/5/14 1:17:42.000 PM   
13:17:42 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
11  3/5/14 1:17:43.000 PM   
13:17:43 (pgroupd) IN: "pgf90-linux86" gkv@class07  
12  3/5/14 1:17:43.000 PM   
13:17:43 (pgroupd) OUT: "pgf90-linux86" gkv@class07  
13  3/5/14 1:17:43.000 PM   
13:17:43 (pgroupd) IN: "pgf90-linux86" gkv@class07  
14  3/4/14 4:32:33.000 PM   
16:32:33 (lmgrd) TIMESTAMP 5/9/2001
15  3/3/14 10:32:33.000 PM  
22:32:33 (lmgrd) TIMESTAMP 5/9/2001
16  3/3/14 4:32:33.000 AM   
 4:32:33 (lmgrd) TIMESTAMP 5/10/2001
17  3/2/14 10:32:33.000 AM  
10:32:33 (lmgrd) TIMESTAMP 5/10/2001
18  3/1/14 4:32:33.000 PM   
16:32:33 (lmgrd) TIMESTAMP 5/10/2001
19  2/28/14 10:32:33.000 PM 
22:32:33 (lmgrd) TIMESTAMP 5/10/2001
20  2/28/14 4:32:33.000 AM  
 4:32:33 (lmgrd) TIMESTAMP 5/11/2001

I understand that I could simply start with the props.conf, and if someone wants to take a whack a solution, that'd be awesome. With that I'd really like someone to provide me the syntax to remove the banner/header that appears in the logs. But also to help capture that date correctly the way it's distributed in the TotalViewFile.

Tags (3)

k2skaterii
Path Finder

Did you ever find a solution to this?

I'm trying to ingest a very similar FlexLM debug file, in an attempt to track our actualy license usage.

Thanks!

0 Karma

sirkgm14vg
Explorer

Actually I was able to figure this out. I haven't circled back on this. I was able to get this to ingest correctly, but I need to check with colleagues at a previous employer for what I did.

0 Karma

chandanmla
Engager

Hello, what can be the parsing to get only events with "IN" and "OUT" ?

0 Karma

ckdoan
New Member

Were you ever able to achieve this?

0 Karma

sfishback
Engager

I'm also trying to parse the FLEXlm logs but still struggling.

which translates to something like this in the Field Extractor:

^(?P[^ ]+)\s+(?P< FLEXlm_Daemon>[^ ]+)\s+(?P< FLEXlm_Message>\w+:)\s+(?P< FLEXlm_Module>[^ ]+)\s+(?P< FLEXlm_User>.+)

Some have a space at the beginning which throws everything off and being excluded from my searches.

I found this wonderful tool which has helped with getting the regex better http://regexr.com/

(\d+:\d+:\d+)\s+([^ ]+)\s+(\w+:)\s+([^ ]+)(.+)

This is not working a 100% but it's a start. Welcome suggestions on improvement others out there

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...