- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: stderr gives multiple events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We have some 3rd party library that writes one stack trace to STDERR which ends up as multiple rows in the log file:
2013-04-14 18:20:44,268 ERROR [] [STDERR] org.apache.wicket.WicketRuntimeException: Can't instantiate page using constructor 'public com.ongame.ip.promoweb.markup.pages.PromoWeb(org.apache.wicket.request.mapper.parameter.PageParameters)' and argument 'operatorID=[xxx], token=[xxx], lang=[sv], clientCode=[xxx]'. Might be it doesn't exist, may be it is not visible (public).
2013-04-14 18:20:44,268 ERROR [] [STDERR] at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:196)
2013-04-14 18:20:44,268 ERROR [] [STDERR] at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:97)
2013-04-14 18:20:44,268 ERROR [] [STDERR] at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:47)
2013-04-14 18:20:44,268 ERROR [] [STDERR] ... 100 lines more
Each row in the stack trace gives a separate event in the Splunk index. Is there a way to concatenate this to one event?
We use log4j as logging framework. We have Splunk 4.3.2
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try configuring your event boundarys :
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try configuring your event boundarys :
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks,
however the regexp can be really complicated since we have to consider several threads writing to the log file concurrently (both stderr and normal logging). It can be hard to determine to which event a line belong to.
For now we'll redirect stderr to separate log file and exclude it from Splunk.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
