I started the forwarder again today and it all seems to be working as it should. Infuriating, but as it is working there is no need for this to still be open, is there any way for me to close it or mark it in some way?
... View more
I had a forwarder on an AIX server sending a number of log files to my Splunk Indexer and all was working well.
Then debugging got turned on on the application producing the log files. My Splunk license got blown out of the Window so I had to stop the forwarder.
Since then, whenever I turn on the forwarder again Splunk, only creates an event for the first (multi) line in the logfiles, giving it a timestamp of the system time as there is no date or time against the first line in the logs. Also, it creates an event if the logfile rolls over, again taking the first line in it.
The log files are Maximo WebSphere UI logs.
The event that is being recorded is like this;
************ Start Display Current Environment ************
WebSphere Platform 6.1 [ND 126.96.36.199 cf471333.02] running with process name ctgCell01\ctgNode01\XXXXXXXServer and process id 426116
Detailed IFix information: Please use the versionInfo command to view this information
Host Operating System is AIX, version 5.3
Java version = 1.5.0, Java Compiler = NONE, Java VM name = IBM J9 VM
was.install.root = /hostname/IBM/WebSphere/AppServer
user.install.root = /hostname/IBM/WebSphere/AppServer/profiles/ctgAppSrv01
Java Home = /hostname/IBM/WebSphere/AppServer/java/jre
ws.ext.dirs = /hostname/IBM/WebSphere/AppServer/java/lib:/hostname/IBM/WebSphere/AppServer/profiles/ctgAppSrv01/classes:/hostname/IBM/WebSphere/AppServer/classes:/hostname/IBM/WebSphere/AppServer/lib:/hostname/IBM/WebSphere/AppServer/installedChannels:/hostname/IBM/WebSphere/AppServer/lib/ext:/hostname/IBM/WebSphere/AppServer/web/help:/hostname/IBM/WebSphere/AppServer/deploytool/itp/plugins/com.ibm.etools.ejbdeploy/runtime
Classpath = /hostname/IBM/WebSphere/AppServer/profiles/ctgAppSrv01/properties:/hostname/IBM/WebSphere/AppServer/properties:/hostname/IBM/WebSphere/AppServer/lib/startup.jar:/hostname/IBM/WebSphere/AppServer/lib/bootstrap.jar:/hostname/IBM/WebSphere/AppServer/lib/j2ee.jar:/hostname/IBM/WebSphere/AppServer/lib/lmproxy.jar:/hostname/IBM/WebSphere/AppServer/lib/urlprotocols.jar:/hostname/IBM/WebSphere/AppServer/deploytool/itp/batchboot.jar:/hostname/IBM/WebSphere/AppServer/deploytool/itp/batch2.jar:/hostname/IBM/WebSphere/AppServer/java/lib/tools.jar
Java Library path = /hostname/IBM/WebSphere/AppServer/java/jre/bin:/hostname/IBM/WebSphere/AppServer/java/jre/bin:/hostname/IBM/WebSphere/AppServer/java/jre/bin/classic:/hostname/IBM/WebSphere/AppServer/java/jre/bin:/hostname/IBM/WebSphere/AppServer/bin:/hostname/IBM/WebSphere/AppServer/java/jre/bin/j9vm:/hostname/IBM/WebSphere/AppServer/java/jre/bin/j9vm:/hostname/IBM/WebSphere/AppServer/java/jre/bin//headless:/hostname/IBM/WebSphere/AppServer/java/jre/bin/j9vm:/usr/lib:/hostname/IBM/WebSphere/AppServer/lib/WMQ/java/lib
************* End Display Current Environment *************
Subsequent lines are like this, but not appearing in Splunk;
[13/11/15 08:24:01:218 GMT] 0000002e SystemOut O 13 Nov 2015 08:24:01:218 [INFO] BMXAA6370I - Total number of users connected to the system: 0
[13/11/15 08:24:01:219 GMT] 0000002e SystemOut O 13 Nov 2015 08:24:01:219 [INFO] BMXAA7019I - The total memory is 2147483648 and the memory available is 1897199760.
All I did was stop the forwarder, then restart it again a few days later.
... View more
Hi all, just getting started and trying to get something together quickly to show management so forgive asking what is probably a trivial question.
I have a log file which is written to each minute with a count of messages in a number of queues. I have a chart showing those queues with a none zero count over the last five minutes.
source=".log" id="queue.*" value>0 | stats max(value) by id
I want it to only display queues where the count has not been zero in the previous five minutes as I only care about queues that are not emptying.
I have tried things along the lines of
source=".log" id="queue.*" value>0 | stats max(value) by id | where min(value) > 0
But cannot get it right, can someone point me in the right direction please.
... View more