Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find events that are not splitting correctly

freern
New Member
‎02-06-2020 09:10 AM

I'm trying to determine which of my companies application logs aren't being split correctly but I'm having a hard time getting a regex search that only returns results that fit the scenario.

The problem part of the raw log is [SKY_LOG_END]\n[SKY_LOG_START]

Any help would be appreciated.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-07-2020 02:33 AM

Will the linecount field help here? In verbose mode you should be able to search for linecount>1 and see all the events with greater than one line.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-07-2020 02:34 AM

If you have access to _internal index, there is a component=linebreak* you can search for too.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2020 10:38 AM

The "Heath Check" dashboard in the Monitoring Console will report on possible event breaking problems.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

freern
New Member
‎02-07-2020 01:42 AM

Thanks for your response. I don't have access to the monitoring console as that side of things is managed by our system administrators. Is there any way to find this information as part of a splunk search using the information i've given?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2020 10:13 AM

This is the MC search for event processing errors.

index=_internal splunk_server=local search_group=dmc_group_indexer earliest=-60m (source=*splunkd.log* (component=AggregatorMiningProcessor OR component= LineBreakingProcessor OR component=DateParserVerbose) (log_level=WARN OR log_level=ERROR)) OR (source=*metrics.log* group=thruput name=index_thruput) 
| stats sum(eval(round(ev,0))) AS event_count count(eval(component=="AggregatorMiningProcessor")) AS aggregation_issues count(eval(component=="LineBreakingProcessor")) AS line_breaking_issues count(eval(component=="DateParserVerbose")) AS date_parsing_issues by host 
| eval crap_score = round((aggregation_issues + line_breaking_issues + date_parsing_issues) / event_count * 1000, 3) 
| eval severity_level = case(crap_score == 0, 0, crap_score > 0 AND crap_score < 1, 1, True(), 2) 
| rename host AS instance 
| fields - crap_score
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

to4kawa
Ultra Champion
‎02-07-2020 01:53 AM

@freern
please provide sample logs with masking sensitive data like XXXX.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...