Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Concatenation of records between two keywords ?

pck_npluyaud
Engager
‎12-07-2020 12:55 AM

Hello.

It is not a question, it is a use case that I don't arrive to resolve.

The situation :

  • a log file on remote server, with a Splunk Universal Forwarder and only an inputs.conf (not other conf)
  • a props.conf on Heavy Forwarder with
    • LINE_BREAKER = \d{1,4}-\d{1,2}-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(,|.)\d{1,3}\s\[

The default format : 2020-12-07 08:02:24.350 [<thread>] <type> <bla bla bla ...>

When the record is a Java Exception logging, there is no problem. The record is complete and contain all the stacktrace (SHOULD_LINEMERGE = TRUE)

But I have other cases which group together a whole set of lines. And each time, the first line contains the word "started", and the last the word "ended". For example, this is for Splunk only one log. But I would like 4 !

 

 

 

2020-12-07 08:02:30,567 [http-nio-10.108.181.36-30000-exec-6] INFO  p.a.f.s.w.FrontalAuthentRestController 869 -  - b- health-check started.  (FrontalAuthentRestController.java:37) 
2020-12-07 08:02:30,583 [http-nio-10.108.181.36-30000-exec-6] INFO  p.a.f.s.w.FrontalAuthentRestController 869 -  - b- health-check ended.  (FrontalAuthentRestController.java:44) 
2020-12-07 08:02:34,670 [http-nio-10.108.181.36-30000-exec-9] INFO  p.a.f.s.w.FrontalAuthentRestController 845 -  - b- health-check started.  (FrontalAuthentRestController.java:37) 
2020-12-07 08:02:34,684 [http-nio-10.108.181.36-30000-exec-9] INFO  p.a.f.s.w.FrontalAuthentRestController 845 -  - b- health-check ended.  (FrontalAuthentRestController.java:44)

 

 

 

I find the same problem with "proxy started" / "proxy ended", or "doFilter started" / "doFilter ended"...

Each time, Splunk gathers the recordings into one

 

 

 

2020-12-07 08:01:43,430 [http-nio-10.108.181.35-30000-exec-3] INFO  p.a.f - proxy started.  (Proxy.java:106) 
2020-12-07 08:01:43,433 [http-nio-10.108.181.35-30000-exec-3] INFO  p.a.f. - IDPART = // NUINPE = (Proxy.java:108) 
2020-12-07 08:01:43,443 [http-nio-10.108.181.35-30000-exec-3] INFO  p.a.f - /3  (ProxyHelper.java:49) 
2020-12-07 08:01:43,444 [http-nio-10.108.181.35-30000-exec-3] INFO  p.a.f. - /3  (Proxy.java:114) 
2020-12-07 08:01:43,907 [http-nio-10.108.181.35-30000-exec-3] INFO  p.a.f - proxy ended.  (Proxy.java:124)

 

 

 

Do you have an idea ?

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...