Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Concatenation of records between two keywords ?

pck_npluyaud
Explorer
‎12-07-2020 12:55 AM

Hello.

It is not a question, it is a use case that I don't arrive to resolve.

The situation :

  • a log file on remote server, with a Splunk Universal Forwarder and only an inputs.conf (not other conf)
  • a props.conf on Heavy Forwarder with
    • LINE_BREAKER = \d{1,4}-\d{1,2}-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(,|.)\d{1,3}\s\[

The default format : 2020-12-07 08:02:24.350 [<thread>] <type> <bla bla bla ...>

When the record is a Java Exception logging, there is no problem. The record is complete and contain all the stacktrace (SHOULD_LINEMERGE = TRUE)

But I have other cases which group together a whole set of lines. And each time, the first line contains the word "started", and the last the word "ended". For example, this is for Splunk only one log. But I would like 4 !

 

 

 

2020-12-07 08:02:30,567 [http-nio-10.108.181.36-30000-exec-6] INFO  p.a.f.s.w.FrontalAuthentRestController 869 -  - b- health-check started.  (FrontalAuthentRestController.java:37) 
2020-12-07 08:02:30,583 [http-nio-10.108.181.36-30000-exec-6] INFO  p.a.f.s.w.FrontalAuthentRestController 869 -  - b- health-check ended.  (FrontalAuthentRestController.java:44) 
2020-12-07 08:02:34,670 [http-nio-10.108.181.36-30000-exec-9] INFO  p.a.f.s.w.FrontalAuthentRestController 845 -  - b- health-check started.  (FrontalAuthentRestController.java:37) 
2020-12-07 08:02:34,684 [http-nio-10.108.181.36-30000-exec-9] INFO  p.a.f.s.w.FrontalAuthentRestController 845 -  - b- health-check ended.  (FrontalAuthentRestController.java:44)

 

 

 

I find the same problem with "proxy started" / "proxy ended", or "doFilter started" / "doFilter ended"...

Each time, Splunk gathers the recordings into one

 

 

 

2020-12-07 08:01:43,430 [http-nio-10.108.181.35-30000-exec-3] INFO  p.a.f - proxy started.  (Proxy.java:106) 
2020-12-07 08:01:43,433 [http-nio-10.108.181.35-30000-exec-3] INFO  p.a.f. - IDPART = // NUINPE = (Proxy.java:108) 
2020-12-07 08:01:43,443 [http-nio-10.108.181.35-30000-exec-3] INFO  p.a.f - /3  (ProxyHelper.java:49) 
2020-12-07 08:01:43,444 [http-nio-10.108.181.35-30000-exec-3] INFO  p.a.f. - /3  (Proxy.java:114) 
2020-12-07 08:01:43,907 [http-nio-10.108.181.35-30000-exec-3] INFO  p.a.f - proxy ended.  (Proxy.java:124)

 

 

 

Do you have an idea ?

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...