Refine your search:

possible file input defect

2

Greetings,

I've noticed that one of my input files was not reading into splunk entirely. (ver 4.2 96430) After doing some troubleshooting, it appears that the file is read short, and I can reproduce this based on the contents of the file.

For instance, I have inputting this data:

Host=SERVERNAME
Source=Broadcom BCM5709S NetXtreme II GigE [NDIS VBD Client]
BytesReceivedPerSec="3362"
BytesSentPerSec="0"
BytesTotalPerSec="3362"
Description=""
Frequency_Object=""
Frequency_PerfTime=""
Frequency_Sys100NS=""
OutputQueueLength="0"
CurrentBandwidth="1000000000"
PacketsOutboundDiscarded="0"
PacketsOutboundErrors="0"
PacketsPerSec="24"
PacketsReceivedDiscarded="0"
PacketsReceivedErrors="0"
PacketsReceivedNonUnicastPerSec="13"
PacketsReceivedPerSec="24"
PacketsReceivedUnicastPerSec="10"
PacketsReceivedUnknown="0"
PacketsSentNonUnicastPerSec="0"
PacketsSentPerSec="0"
PacketsSentUnicastPerSec="0"
Timestamp_Object=""
Timestamp_PerfTime=""
Timestamp_Sys100NS=""

Splunk only shows the data up until the line that reads: CurrentBandwidth="1000000000"

The reading is aborted at the line. If I move the line up, or down, it follows the line. If I change the data in the line, even removing a single 0, then splunk reads the data correctly in its entirety.

I'm pretty sure this is a defect, but I don't know how to open a bug report. Hopefully this is sufficient.

Other data that might be relevant is that I am putting this into a directory that is a sinkhole, s it's batch inputted.

Let me know what other information may be useful to supply.

asked 03 Jun '11, 07:40

jgauthier's gravatar image

jgauthier
1837
accept rate: 27%

What happens when you "view source" for the event?

(03 Jun '11, 09:45) Simeon ♦

It shows the truncated data as well.

(03 Jun '11, 09:52) jgauthier

This is definitely a defect. I have been able to reproduce this repeatedly on large numbers starting with a 1. for instance, all of these lines, in different files cause splunk to stop processing: Timestamp_PerfTime="1309871324971" CommitLimit="103056531456" AvgDiskQueueLength="18446743927822183616"

However, if I change the leading digit to a 2, or other number the data loads correctly.

I've put in a bug, but didn't realize this was the problem, so I am going to try and update it.

(03 Jun '11, 10:19) jgauthier
One Answer:
oldestnewestmost voted
3

actually it's probably getting split into a new event based on the BREAK_ONLY_BEFORE_DATE default rule. The number is read as an epoch timestamp, and the data is getting indexed but with a time range outside where you're looking. a solution would be a to specify an explicit TIME_FORMAT, or DATETIME_CONFIG = CURRENT, or if you're trying to index the entire file as a single event (vs one line per event), set SHOULD_LINEMERGE = false and LINE_BREAKER = (?!)

link

answered 03 Jun '11, 10:35

gkanapathy's gravatar image

gkanapathy ♦
26.3k1622
accept rate: 42%

Wow. It was reading it as a time stamp. That's really interesting. Those adjustments allowed the data to process correctly. Thanks for the advice.

(03 Jun '11, 10:49) jgauthier

I would not recommend LINE_BREAKER = (?!) Instead, please use something like LINE_BREAKER = ()zqsxtp-will-not-be-present In other words, a paren pair, and text which will not be present in your event, preferably starting with a rare character.

(06 Mar, 10:40) jrodman ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×38
×29
×17

Asked: 03 Jun '11, 07:40

Seen: 484 times

Last updated: 06 Mar, 10:40

Related questions

Can you create a batch input processing using the admin interface?

Does batch input ignore files already read?

Splunk throws error message when data input tar.gz file contains Simplified Chinese characters(GB2312): Input is not proper UTF-8, indicate encoding!

Batch input doesn't honor LINE_BREAKER settings

NOOB - run a query in batch with varying input

Which input provides better performance batch or monitor

Input a file into a query, possible?

scripted input batch script cant access files in same dir

EventViewer bug? "[EventsViewer module] Input is not proper UTF-8"

Copyright © 2005-2012 Splunk, Inc. All rights reserved.