Request trial
Request Trial

if-else failed, not enough fields

Tags:
#1 cwigley

Having a reoccurring problem where I get the following error and my output file quits updating for a few minutes then picks back up again. As a side note, I was having a problem with the eventlog because of an entry that was being written that had an object serialized as xml in the message. That is the exclusion in my application log. Since then, the event log has been working flawlessly.

I found a similar post except that in my instance I have already use a more specific filter.

http://nxlog.org/question/531/iis-log-bad-characters-causes-nxlog-crash-causing-random-event-dump

Log 2015-03-06 13:10:32 INFO nxlog-ce-2.8.1248 started 2015-03-06 13:14:07 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

2015-03-06 13:28:30 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

2015-03-06 13:50:07 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

2015-03-06 14:07:39 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input ''

Line 70 refers to the closing bracket in
<Input default_iis_in>
 Module im_file
 File "D:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"
    ReadFromLast TRUE
    Exec if $raw_event=~/^#/ drop();                         \
   else                                                \
   {                                                   \
    w3c->parse_csv();                               \
    $EventTime = parsedate($date + " " + $time);    \
   }
</Input>

Full config

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension w3c>
    Module      xm_csv
    Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs(User-Agent), $cs(Referer), $sc-status, $sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken
    FieldTypes  string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
    Delimiter ' '
    QuoteChar   '"'
    EscapeControl FALSE
    UndefValue  -
</Extension>

<Extension json>
    Module xm_json
</Extension>

<Extension fileop>
    Module      xm_fileop

    <Schedule>
        Every   10 min
        Exec    file_truncate("evt.json");
    </Schedule>

    <Schedule>
        Every   10 min
        Exec    file_truncate("iis-default.json");
    </Schedule>

</Extension>

<Input evt_in>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>   \
                    </Query>\
                </QueryList>
    ReadFromLast TRUE
    Exec        if $SourceName=~/TfsDeployer/ drop();           \
                else                                            \
                {                                               \
                    to_json();                                  \
                }
</Input>

<Input default_iis_in>
 Module im_file
 File "D:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"
    ReadFromLast TRUE
    Exec if $raw_event=~/^#/ drop();                         \
   else                                                \
   {                                                   \
    w3c->parse_csv();                               \
    $EventTime = parsedate($date + " " + $time);    \
   }
</Input>

<Output evt_out>
    Module om_file
    File "evt.json"
</Output>

<Output default_iis_out>
    Module om_file
    Exec $raw_event = to_json();
    File "iis-default.json"
</Output>

<Route 1>
    Path        evt_in => evt_out
</Route>

<Route 2>
    Path default_iis_in => default_iis_out
</Route>

 

Any help would be appreciated. Thank you.

Permalink
#2 cwigley
#1 cwigley
Having a reoccurring problem where I get the following error and my output file quits updating for a few minutes then picks back up again. As a side note, I was having a problem with the eventlog because of an entry that was being written that had an object serialized as xml in the message. That is the exclusion in my application log. Since then, the event log has been working flawlessly. I found a similar post except that in my instance I have already use a more specific filter. http://nxlog.org/question/531/iis-log-bad-characters-causes-nxlog-crash-causing-random-event-dump Log 2015-03-06 13:10:32 INFO nxlog-ce-2.8.1248 started 2015-03-06 13:14:07 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input '' 2015-03-06 13:28:30 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input '' 2015-03-06 13:50:07 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input '' 2015-03-06 14:07:39 ERROR if-else failed at line 70, character 336 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 70, character 226 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 17, got 0 in input '' Line 70 refers to the closing bracket in <Input default_iis_in>  Module im_file  File "D:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"     ReadFromLast TRUE     Exec if $raw_event=~/^#/ drop();                         \    else                                                \    {                                                   \     w3c->parse_csv();                               \     $EventTime = parsedate($date + " " + $time);    \    } </Input> Full config ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension w3c>     Module      xm_csv     Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs(User-Agent), $cs(Referer), $sc-status, $sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken     FieldTypes  string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string     Delimiter ' '     QuoteChar   '"'     EscapeControl FALSE     UndefValue  - </Extension> <Extension json>     Module xm_json </Extension> <Extension fileop>     Module      xm_fileop     <Schedule>         Every   10 min         Exec    file_truncate("evt.json");     </Schedule>     <Schedule>         Every   10 min         Exec    file_truncate("iis-default.json");     </Schedule> </Extension> <Input evt_in>     Module      im_msvistalog     Query       <QueryList>\                     <Query Id="0">\                         <Select Path="Application">*</Select>   \                     </Query>\                 </QueryList>     ReadFromLast TRUE     Exec        if $SourceName=~/TfsDeployer/ drop();           \                 else                                            \                 {                                               \                     to_json();                                  \                 } </Input> <Input default_iis_in>  Module im_file  File "D:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"     ReadFromLast TRUE     Exec if $raw_event=~/^#/ drop();                         \    else                                                \    {                                                   \     w3c->parse_csv();                               \     $EventTime = parsedate($date + " " + $time);    \    } </Input> <Output evt_out>     Module om_file     File "evt.json" </Output> <Output default_iis_out>     Module om_file     Exec $raw_event = to_json();     File "iis-default.json" </Output> <Route 1>     Path        evt_in => evt_out </Route> <Route 2>     Path default_iis_in => default_iis_out </Route>   Any help would be appreciated. Thank you.

After watching this a little more closely the error seems to happen when the output file gets truncated. Is there perhaps a better way of managing this file? My only need is for it not to grow indefinitely.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS