Splunk Search

How can I break events within events .

Sujithkumarkb
Observer

I have middleware .out file to be monitored with Splunk.
The events are breaking with respect to the time stamps as below

1/16/20
12:27:17.553 PM
Jan 16, 2020 1:57:17,553 AM EST Warning Socket BEA-000449bClosing the socket, as no data read from it on ,322 during the configured idle timeout of 5 seconds.

1/16/20
12:24:17.274 PM
Jan 16, 2020 1:54:17,274 AM EST Error oracle.soa.management.internal.ejb.impl.FacadeFinderBeanImp BEA-000000 No Facade Fault Recovery Service found for Engine type : service

But i have an event in this log file which is breaking based on time stamp but single event isgoing beyond 800 1000lines . sample event below

Jan 16, 2020 1:54:05,062 AM EST Error oracle.soa.bpel.engine.dispatch BEA-00000 Transaction rolledback, Transaction key = Name=[EJB
** Cikey: 100174
** ComponentDN: default/CommsProcessFulfillmentOrderBillingAccountListEBF!1.0*soa_50970aa3-f91e-430a-83db-70b3c1beafd9/CommsProcessFulfillmentOrderBillingAccountListEBF
** FlowId: 100048

** Set of Audit Events in currently rolledback transaction:

** Scope Id: 0
** Audit Event Date: Thu, 16 Jan 2020 01:54:04.300 EST
** Audit Message: New instance of BPEL process "1.0" initiated (# "CommsProcessFulfillmentOrderBillingAccountListEBF").

** Audit Detail: null

** Scope Id: BpSeq13.3
** Audit Event Date: Thu, 16 Jan 2020 01:54:04.301 EST
** Audit Message: Received "initiate" call from partner "client"
** Audit Detail:
CommsProcessFulfillmentOrderBillingAccountListReqMsg part name="ProcessFulfillmentOrderBillingAccountListEBM" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"bProcessFulfillmentOrderBillingAccountListEBM
** Audit Event Attributes:
** wikey: 100174-BpRcv0-BpSeq13.3-1
** label: receiveInput

** state: 5

** Scope Id: BpSeq13.3
** Audit Event Date: Thu, 16 Jan 2020 01:54:04.302 EST
** Audit Message: bpelx:exec executed
** Audit Detail: null
** Audit Event Attributes:
** wikey: 100174-BxExe0-BpSeq13.3-2
** label: Set_Title
** state: 5

This event is more than 1000lines with lot of scope ID paragraph and I get a Show all 800lines message , and when I expand the Splunk goes into hung state.
Though i can use Truncate and max_events value in props , how can i handle or break one big event with more than 800 lines based on the ScopeID and also keep other events breaking based on timestamp as well .

0 Karma

jkat54
SplunkTrust
SplunkTrust

In props.conf

[your_sourcetype]
LINE_BREAKER = ^()\w{3}\s\d\d|Scope Id

0 Karma

vsai0718
Path Finder

Try creating a field extraction on the UI with regex.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!