Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to break Weblogic JVM events using regex w...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
How to break Weblogic JVM events using regex with multiple timestamps & exceptions in single event
p_gurav
Champion
07-12-2016
06:34 AM
Hi All,
I have the following JVM logs:
May 8, 2016 1:26:26 AM IST Warning Socket BEA-000449 Closing socket as no data read from it on x.x.x.x:x,x during the configured idle timeout of 5 secs
01:45:05.078 [Listener-null] ERROR c.c.s.ListenerHandler - Error occurred while delivering response message for listener rilBPMService.createServiceOrderInterface.createOrder.
java.lang.NullPointerException
at com.conceptwave.serviceprovider.MsgQueueListener$MsgQueueHandler.doCreateOutConnection(MsgQueueListener.java:250)
at com.conceptwave.serviceprovider.ListenerHandler.createOutConnection(ListenerHandler.java:517)
at com.conceptwave.serviceprovider.ListenerHandler.run(ListenerHandler.java:281)
at com.conceptwave.serviceprovider.CwfListener.run(CwfListener.java:320)
02:00:12.712 [Listener-null] ERROR c.c.s.ListenerHandler - Error occurred while delivering response message for listener rilBPMService.createServiceOrderInterface.createOrder.
java.lang.NullPointerException
at com.conceptwave.serviceprovider.MsgQueueListener$MsgQueueHandler.doCreateOutConnection(MsgQueueListener.java:250)
at com.conceptwave.serviceprovider.ListenerHandler.createOutConnection(ListenerHandler.java:517)
at com.conceptwave.serviceprovider.ListenerHandler.run(ListenerHandler.java:281)
at com.conceptwave.serviceprovider.CwfListener.run(CwfListener.java:320)
02:00:14.008 [Listener-null] ERROR c.c.s.ListenerHandler - Error occurred while delivering response message for listener rilBPMService.serviceOrderNotificationInterface.serviceOrderNotification.
java.lang.NullPointerException
at com.conceptwave.serviceprovider.MsgQueueListener$MsgQueueHandler.doCreateOutConnection(MsgQueueListener.java:250)
at com.conceptwave.serviceprovider.ListenerHandler.createOutConnection(ListenerHandler.java:517)
at com.conceptwave.serviceprovider.ListenerHandler.run(ListenerHandler.java:281)
at com.conceptwave.serviceprovider.CwfListener.run(CwfListener.java:320)
02:00:46.377 [Listener-null] ERROR c.c.s.ListenerHandler - Error occurred while delivering response message for listener rilBPMService.createServiceOrderInterface.createOrder.
java.lang.NullPointerException
at com.conceptwave.serviceprovider.MsgQueueListener$MsgQueueHandler.doCreateOutConnection(MsgQueueListener.java:250)
at com.conceptwave.serviceprovider.ListenerHandler.createOutConnection(ListenerHandler.java:517)
at com.conceptwave.serviceprovider.ListenerHandler.run(ListenerHandler.java:281)
at com.conceptwave.serviceprovider.CwfListener.run(CwfListener.java:320)
I want Splunk to consider above event as one event. But as it has multiple timestamps without date.
I tried following properties in props.conf:
BREAK_ONLY_BEFORE = \<\w\w\w\s\d{2},\s\d{4}\s\d+:\d{2}:\d{2}\>
SHOULD_LINEMERGE = true
MAX_EVENTS= 10000
TIME_FORMAT=%b %d, %Y %H:%M:%S %p
TIME_PREFIX=^
In this case Splunk is breaking event whenever it encounters time (i.e. at each exception), creating multiple events for each exception instead of single event.
If I don't use the BREAK_ONLY_BEFORE in props, then Splunk is still breaking the event whenever it encounters time, but not indexing the exception part. I end up with missing data.
Could anybody will help me with this?
Thank You in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
michael_sleep
Communicator
07-13-2016
12:24 PM
This would work as a props configuration. Just take whatever you need. The regex may be different if only because I can't tell if your timestamp line starts with a space or not, so I've included both. This one will assume there is no space:
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=^(\w{3}\s\d{1,2}\,\s\d{4}\s\d{1,2}:\d{2}:\d{2}\s\w{2}\s\w{3})
MAX_TIMESTAMP_LOOKAHEAD=27
If there is a space:
^(\s\w{3}\s\d{1,2}\,\s\d{4}\s\d{1,2}:\d{2}:\d{2}\s\w{2}\s\w{3})
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
campbellj1977
Explorer
07-13-2016
11:12 AM
It looks like you are defining your time prefix to start of new line, but no line breaks mentioned. Try this;
SHOULD_LINEMERGE = false
LINE_BREAKER = \w{3}\s\w{1,2}\,\s\d{4}\s\d{1,2}\:\d{1,2}\:\d{1,2}\s\w{2}
TIME_FORMAT=%b %d, %Y %H:%M:%S %p
TIME_PREFIX=^
LOOK_AHEAD = 45
I believe this is best practice all props.
Thanks,
Joshua
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
woodcock
Esteemed Legend
07-13-2016
10:29 AM
Try this:
TIME_PREFIX = ^
TIME_FORMAT = %b %d, %Y %H:%M:%S %p
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = true
Register for .conf21 Now!
Go Vegas or Go Virtual!
How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.
Learn More or Register Now >
Get Updates on the Splunk Community!
