All Apps and Add-ons

Splunk Add-on for Oracle Database is not breaking multi-line events correctly

webbed
Engager

Hello there,

Try as I might, I've been unable to determine why event breaking using the [oracle:alert:text] sourcetype is not working and was hoping for some help.

We're running:
1. Splunk Enterprise v7.3.4 (we had the same issue when running v7.2, by the way, should anyone point out the published compatibility for this add-on as being an issue).
2. Splunk Add-on for Oracle Database v3.7 without modification on our indexers and search heads.
3. Oracle 12c

When installing on the UFs, a monitoring stanza was created in inputs.conf like so:

[monitor:///u01/app/oracle*/diag/rdbms///trace/alert_*.log]
sourcetype = oracle:alert:text
index = ufo_db_audit
crcSalt = <SOURCE>

In the "Sample Data", below, the events should be brokenby the timestamps in bold.

Sample data:

Wed May 13 23:35:09 2020
Thread 2 advanced to log sequence 13065 (LGWR switch)
Current log# 3 seq# 13065 mem# 0: +COD_DATA/CONTRLMD/ONLINELOG/group_3.635.945444391
Current log# 3 seq# 13065 mem# 1: +COD_FRAD/CONTRLMD/ONLINELOG/group_3.5494.945444391
Wed May 13 23:35:09 2020
Archived Log entry 27352 added for thread 2 sequence 13064 ID 0x56af26b4 dest 1:
Thu May 14 00:34:51 2020


Fatal NI connect error 12170.

VERSION INFORMATION:
TNS for Linux: Version 12.1.0.2.0 - Production
Oracle Bequeath NT Protocol Adapter for Linux: Version 12.1.0.2.0 - Production
TCP/IP NT Protocol Adapter for Linux: Version 12.1.0.2.0 - Production
Time: 14-MAY-2020 00:34:51
Tracing not turned on.
Tns error struct:
ns main err code: 12535

TNS-12535: TNS:operation timed out
ns secondary err code: 12560
nt main err code: 505

TNS-00505: Operation timed out
nt secondary err code: 110
nt OS err code: 0
Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=x.x.x.x)(PORT=44570))
Thu May 14 02:00:03 2020
Closing Resource Manager plan via scheduler window
Clearing Resource Manager plan via parameter

Three of the four events above are broken correctly. The second last one, however, ends up broken into numerous events like this:

========================================================================
Thu May 14 00:34:51 2020


Fatal NI connect error 12170.

VERSION INFORMATION:
         TNS for Linux: Version 12.1.0.2.0 - Production
         Oracle Bequeath NT Protocol Adapter for Linux: Version 12.1.0.2.0 - Production
         TCP/IP NT Protocol Adapter for Linux: Version 12.1.0.2.0 - Production

========================================================================
Time: 14-MAY-2020 00:34:51
Tracing not turned on.

Tns error struct:

   **ns main err code: 12535**

========================================================================
TNS-12535: TNS:operation timed out
ns secondary err code: 12560

nt main err code: 505

TNS-00505: Operation timed out

** nt secondary err code: 110**

** nt OS err code: 0**

** Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=x.x.x.x)(PORT=44570))**

Using the same props attributes, when I ingest the same log file using "Add Data" in Splunk Web or even throw a monitor on a non-prod indexer to ingest the same log file, the events are broken perfectly.

Although there seems to be no delay in the events being output to the monitored log files, I tried these attributes without success:
multiline_event_extra_waittime= true
time_before_close = 90

I can imagine using BREAK_ONLY_BEFORE_DATE=true and SHOULD_LINEMERGE=true might be helpful but I can't imagine I should have to radically alter the props attributes of a Splunk TA like this so presume something else is going on.

I'd really appreciate any pointers here.

richgalloway
SplunkTrust
SplunkTrust

Apps and add-ons are not perfect, even those with "Splunk" in the name. There may be differences in environments or data that cause the add-on to fail. If so, feel free to change settings (in the 'local' directory) so they work for you.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...