Hi , I am trying to break events which are merging for SMS and SMPP logs. only the events with binary codes are breaking and rest are still merging.Can anyone advice how I can break events here. Props I am using is as below KV_MODE = none BREAK_ONLY_BEFORE = \d{2}:\d{2}:\d{2}:\d{3}\s+(\d+\w+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = true and  KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false  TIME_FORMAT=%H:%M:%S:%3N   09:55:26:008 (000005A0) --IP--  --: WaitForResponseSMPP: SMPP Debug: ioctlsocket failed, no data 09:55:26:935 (000007B8) --IP--  --: WaitForResponseSMPP: SMPP Debug: ioctlsocket failed, no data 09:55:27:347 (000007D0) --IP--  --: WaitForResponseSMPP: SMPP Debug: received a submit message 09:55:27:347 (000007D0) --IP--  <-: 103 byte packet 09:55:27:347 (000007D0) --IP--  <-: 00 00 00 67 00 00 00 04 00 00 00 00 00 05 5E C1 g ^ 09:55:27:347 (000007D0) --IP--  <-: 00 00 00 36 30 30 30 30 30 30 34 00 00 00 35 32 60000004 52 09:55:27:347 (000007D0) --IP--  <-: 69 6D 57 52 36 4A 73 2F 69 31 69 41 47 4F 45 4D imWR6Js/i1iAGOEM 09:55:27:347 (000007D0) --IP--  <-: 71 75 6E 52 6E 61 71 qunRnaq   SMSDebug log 10:00:11:467 [21] CHECKLF0004###0010\5F7ACFDA.REQ: WAIT 10:00:11:467 [23] CHECKLF0004LF0004###0010\5F7ACFDA.REQ: WAIT 10:00:11:640 [22] VWPRODEGOLF0004###0010\5F7ACFDA.REQ: WAIT 10:00:11:815 [5] ThreadListenForSMPPConnections: Before accept 10:00:11:815 [5] ThreadListenForSMPPConnections: After accept 10:00:11:815 [29] ThreadProcessSMPPConnection: Processing SMPP connection from IP... 10:00:11:908 [28] ThreadProcessSMPPConnection: Releasing SMPP connection from IP 10:00:11:909 [28] WaitForSocketClose: WinSock reported ioctlsocket complete ... View more

I have a Clustered environment and monitoring setup for application logs,universal forwarders push data to indexers . Lately , I have been facing issue where the application logs are getting indexed and available . But after few hours when I search for the present day logs on splunk there are 0 events for 2 3 hours time frame and indexed data vanishes. Not sure if this is a known issue , any help would be of much help. Thanks ... View more

I have a clustered splunk environment and monitoring in place for quite a few application logs. Lately , I have been encountering an issue with data collection in Splunk . For some frame of time everyday(2 to 5 hours) , I do not see any data even though the application server has logs generated. But for the rest of the day it works just fine . Universal Forwarders and indexers are working just fine. This is affecting the dashboards and alerts , as the data is been missed out . Example log: 2020-02-13T05:01:45.249-0500 INFO 801 | UNIQ_ID=2AB2130 | TRANS_ID=00000170151fda6c-171dce8 | VERSION=18.09 | TYPE=AUDIT| UTC_ENTRY=2020-02-13T10:01:45.178Z | UTC_EXIT=2020-02-13T10:01:45.230Z,"Timestamp":"2020-02-13T10:01:45.062Z","Data":{"rsCommand":"","rsStatus":"executed","pqr":"2020-02-13T09:57:13.000Z","rsStatusReason":"executed","XYZ":"2020-02-13T09:57:29.000Z","rsMinutesRemaining":"6","remoDuration":"10","internTemperature":"12","ABC":"2020-02-13T10:00:20.000Z","Sucction"}} Can anyone give some insight ,If you have faced or come across this kind of issue. I suspect Splunk is getting confused with the time format of the actual event and the time and year value format inside the event likeabc,pqr,xyz timestamp in the example log above.. But doesn't help me how to go about and solve this issue. ... View more

I have middleware .out file to be monitored with Splunk. The events are breaking with respect to the time stamps as below 1/16/20 12:27:17.553 PM Jan 16, 2020 1:57:17,553 AM EST Warning Socket BEA-000449bClosing the socket, as no data read from it on ,322 during the configured idle timeout of 5 seconds. 1/16/20 12:24:17.274 PM Jan 16, 2020 1:54:17,274 AM EST Error oracle.soa.management.internal.ejb.impl.FacadeFinderBeanImp BEA-000000 No Facade Fault Recovery Service found for Engine type : service But i have an event in this log file which is breaking based on time stamp but single event isgoing beyond 800 1000lines . sample event below Jan 16, 2020 1:54:05,062 AM EST Error oracle.soa.bpel.engine.dispatch BEA-00000 Transaction rolledback, Transaction key = Name=[EJB ** Cikey: 100174 ** ComponentDN: default/CommsProcessFulfillmentOrderBillingAccountListEBF!1.0*soa_50970aa3-f91e-430a-83db-70b3c1beafd9/CommsProcessFulfillmentOrderBillingAccountListEBF ** FlowId: 100048 ** Set of Audit Events in currently rolledback transaction: ** Scope Id: 0 ** Audit Event Date: Thu, 16 Jan 2020 01:54:04.300 EST ** Audit Message: New instance of BPEL process "1.0" initiated (# "CommsProcessFulfillmentOrderBillingAccountListEBF"). ** Audit Detail: null ** Scope Id: BpSeq13.3 ** Audit Event Date: Thu, 16 Jan 2020 01:54:04.301 EST ** Audit Message: Received "initiate" call from partner "client" ** Audit Detail: CommsProcessFulfillmentOrderBillingAccountListReqMsg part name="ProcessFulfillmentOrderBillingAccountListEBM" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"bProcessFulfillmentOrderBillingAccountListEBM ** Audit Event Attributes: ** wikey: 100174-BpRcv0-BpSeq13.3-1 ** label: receiveInput ** state: 5 ** Scope Id: BpSeq13.3 ** Audit Event Date: Thu, 16 Jan 2020 01:54:04.302 EST ** Audit Message: bpelx:exec executed ** Audit Detail: null ** Audit Event Attributes: ** wikey: 100174-BxExe0-BpSeq13.3-2 ** label: Set_Title ** state: 5 This event is more than 1000lines with lot of scope ID paragraph and I get a Show all 800lines message , and when I expand the Splunk goes into hung state. Though i can use Truncate and max_events value in props , how can i handle or break one big event with more than 800 lines based on the ScopeID and also keep other events breaking based on timestamp as well . ... View more

How can i extract the below block letter keywords (OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest ..)from my log as field values for field name API's? 2020-01-09 03:58:08,280 INFO com.hti.gw.interceptor.ServiceInterceptor (Hughes_Tre13342) <OrderUpdateWithAccountInfoRequest ** xmlns:ns5="....... 2020-01-08 06:25:25,836 INFO com.vzt.pg.AbstractMiddlewareDelegate (AMP_RptDqckdAsT5ldcFG8eh_tdzbmtxux44z850) <VinValidationRequest** xmlns:ns2="http://www.hughestelematics.com..... 2020-01-08 06:25:25,546 INFO com.vzt.pg.AbstractMiddlewareDelegate (AMP_RptDqckdAsT5ldcFG8eh_tdzbmtxux44z850) <GetEntitledRequest xmlns:ns2="ht...... 2020-01-08 06:20:13,637 INFO com.vzt.pg.AbstractMiddlewareDelegate (AMP_RptDqckdAsT5ldcFG8eh_9wiiwnvakzcdc66) <VinValidationRequest xmlns:ns2="http:/...... ... View more