I have middleware .out file to be monitored with Splunk.
The events are breaking with respect to the time stamps as below
1/16/20
12:27:17.553 PM
Jan 16, 2020 1:57:17,553 AM EST Warning Socket BEA-000449bClosing the socket, as no data read from it on ,322 during the configured idle timeout of 5 seconds.
1/16/20
12:24:17.274 PM
Jan 16, 2020 1:54:17,274 AM EST Error oracle.soa.management.internal.ejb.impl.FacadeFinderBeanImp BEA-000000 No Facade Fault Recovery Service found for Engine type : service
But i have an event in this log file which is breaking based on time stamp but single event isgoing beyond 800 1000lines . sample event below
Jan 16, 2020 1:54:05,062 AM EST Error oracle.soa.bpel.engine.dispatch BEA-00000 Transaction rolledback, Transaction key = Name=[EJB
** Cikey: 100174
** ComponentDN: default/CommsProcessFulfillmentOrderBillingAccountListEBF!1.0*soa_50970aa3-f91e-430a-83db-70b3c1beafd9/CommsProcessFulfillmentOrderBillingAccountListEBF
** FlowId: 100048
** Scope Id: 0
** Audit Event Date: Thu, 16 Jan 2020 01:54:04.300 EST
** Audit Message: New instance of BPEL process "1.0" initiated (# "CommsProcessFulfillmentOrderBillingAccountListEBF").
** Scope Id: BpSeq13.3
** Audit Event Date: Thu, 16 Jan 2020 01:54:04.301 EST
** Audit Message: Received "initiate" call from partner "client"
** Audit Detail:
CommsProcessFulfillmentOrderBillingAccountListReqMsg part name="ProcessFulfillmentOrderBillingAccountListEBM" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"bProcessFulfillmentOrderBillingAccountListEBM
** Audit Event Attributes:
** wikey: 100174-BpRcv0-BpSeq13.3-1
** label: receiveInput
** Scope Id: BpSeq13.3
** Audit Event Date: Thu, 16 Jan 2020 01:54:04.302 EST
** Audit Message: bpelx:exec executed
** Audit Detail: null
** Audit Event Attributes:
** wikey: 100174-BxExe0-BpSeq13.3-2
** label: Set_Title
** state: 5
This event is more than 1000lines with lot of scope ID paragraph and I get a Show all 800lines message , and when I expand the Splunk goes into hung state.
Though i can use Truncate and max_events value in props , how can i handle or break one big event with more than 800 lines based on the ScopeID and also keep other events breaking based on timestamp as well .
Wow, thanks for this thread. I didn't even think about splitting events within events. I'm still trying to figure out the Splunk search language, and I don't always get what I want the first time. I hope I won't bother anyone with my comment if I use it to "bookmark" the topic 🙂
In props.conf
[your_sourcetype]
LINE_BREAKER = ^()\w{3}\s\d\d|Scope Id
Try creating a field extraction on the UI with regex.
Wow, thanks for this thread. I didn't even think about splitting events within events. I'm still trying to figure out the Splunk search language, and I don't always get what I want the first time. I hope I won't bother anyone with my comment if I use it to "bookmark" the topic 🙂 I prefer to appear in all thematic forums and ask thousands of stupid questions to everyone. This is how I prevent possible errors, and it's better than carrying the hard drive to the file recovery procedure later due to a series of wrong actions.