https://community.splunk.com/t5/Getting-Data-In/Weblogic-10-x-logs-for-datasource/m-p/25985#M4252 <P>Hi All,</P> <P>I'm trying to add weblogic 10.3 log files to indexer and I'm struggling to get the timestamp parsed correctly. I'm new to Splunk so may need little bit of more step-through/concept help so please ignore my lack of understanding.</P> <OL> <LI>I add the data via local log file. Its more for ad-hoc analysis at this point.. will get to forwarder later!</LI> <LI>I specify source type as log4j</LI> <LI>In the preview srceen the dates don't match as well as the timestamp is wrong compared to data in log messages.</LI> </OL> <P>My log file has data like this</P> <H4>&lt;13/08/2012 12:00:14 AM EST&gt; <ERROR> <NET> <SERVERNAMEV01> <ES25-N1> &lt;[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'&gt; &lt;<WLS kernel="">&gt; &lt;&gt; &lt;&gt; &lt;1344175214433&gt; <BEA-000903> &lt;Failed to communicate with proxy: xx.xx.xx.xxx/8080. Will try connection xx.xx.xx.xxx/8081 now.</BEA-000903></WLS></ES25-N1></SERVERNAMEV01></NET></ERROR></H4> <P>The parsing/output in Preview looks like this<BR /> 8/6/12 3:00:14.000 PM ####&lt;13/08/2012 12:00:14 AM EST&gt; </P> <P>As you can see the parsing of the date time isn't working and I get an exclamation mark in preview complaining about 'could not use strptime to parse the timestamp...'</P> <P>currently applied settings looks like this in preview page:</P> <P>NO_BINARY_CHECK=1<BR /> <BR />TIME_FORMAT=%d/%m/%Y %I:%M:%S %p<BR /> <BR />TZ=Australia/Melbourne</P> <P>These previous posts dont work and complains about syntax at startup time.<BR /> <A href="http://splunk-base.splunk.com/answers/8142/how-do-i-extract-useful-information-into-fields-from-oracle-weblogic-application-server-logs" target="_blank">http://splunk-base.splunk.com/answers/8142/how-do-i-extract-useful-information-into-fields-from-oracle-weblogic-application-server-logs</A></P> <P>Any help would be appreciated...</P> <P>Thanks heaps,<BR /> Parth</P> Mon, 28 Sep 2020 12:12:01 GMT pandyaparth 2020-09-28T12:12:01Z https://community.splunk.com/t5/Getting-Data-In/Weblogic-10-x-logs-for-datasource/m-p/25985#M4252 <P>Hi All,</P> <P>I'm trying to add weblogic 10.3 log files to indexer and I'm struggling to get the timestamp parsed correctly. I'm new to Splunk so may need little bit of more step-through/concept help so please ignore my lack of understanding.</P> <OL> <LI>I add the data via local log file. Its more for ad-hoc analysis at this point.. will get to forwarder later!</LI> <LI>I specify source type as log4j</LI> <LI>In the preview srceen the dates don't match as well as the timestamp is wrong compared to data in log messages.</LI> </OL> <P>My log file has data like this</P> <H4>&lt;13/08/2012 12:00:14 AM EST&gt; <ERROR> <NET> <SERVERNAMEV01> <ES25-N1> &lt;[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'&gt; &lt;<WLS kernel="">&gt; &lt;&gt; &lt;&gt; &lt;1344175214433&gt; <BEA-000903> &lt;Failed to communicate with proxy: xx.xx.xx.xxx/8080. Will try connection xx.xx.xx.xxx/8081 now.</BEA-000903></WLS></ES25-N1></SERVERNAMEV01></NET></ERROR></H4> <P>The parsing/output in Preview looks like this<BR /> 8/6/12 3:00:14.000 PM ####&lt;13/08/2012 12:00:14 AM EST&gt; </P> <P>As you can see the parsing of the date time isn't working and I get an exclamation mark in preview complaining about 'could not use strptime to parse the timestamp...'</P> <P>currently applied settings looks like this in preview page:</P> <P>NO_BINARY_CHECK=1<BR /> <BR />TIME_FORMAT=%d/%m/%Y %I:%M:%S %p<BR /> <BR />TZ=Australia/Melbourne</P> <P>These previous posts dont work and complains about syntax at startup time.<BR /> <A href="http://splunk-base.splunk.com/answers/8142/how-do-i-extract-useful-information-into-fields-from-oracle-weblogic-application-server-logs" target="_blank">http://splunk-base.splunk.com/answers/8142/how-do-i-extract-useful-information-into-fields-from-oracle-weblogic-application-server-logs</A></P> <P>Any help would be appreciated...</P> <P>Thanks heaps,<BR /> Parth</P> Mon, 28 Sep 2020 12:12:01 GMT https://community.splunk.com/t5/Getting-Data-In/Weblogic-10-x-logs-for-datasource/m-p/25985#M4252 pandyaparth 2020-09-28T12:12:01Z https://community.splunk.com/t5/Getting-Data-In/Weblogic-10-x-logs-for-datasource/m-p/25986#M4253 <P>Hi,I am alse new to Splunk.<BR /> I meet the same problem with _time can't mapping with a true log time.<BR /> My solution is as below<BR /> First:<BR /> I go to WLS Server--&gt;server--&gt;your server name--&gt;logging--&gt;advanced--&gt;Date Format Pattern<BR /> I change it from yyyy/M/d ahh'時'mm'分'ss'秒' z to yyyy/M/d HH'-'mm'-'ss'-' z</P> <P>Two:<BR /> When I restart WLS Server,and I go to Splunk Sever to new a field with name log_time.<BR /> pattern like<BR /> log_time=2014/11/24 15-32-50</P> <P>Now you can use log_time to search your wls_log like<BR /> host=Peter-PC log_time&gt;"2014/11/23 11-00-00", you can get the event occur after 2014/11/23 11-00-00</P> <P>I wish this can help you.</P> <P>by Peter</P> Mon, 28 Sep 2020 18:16:02 GMT https://community.splunk.com/t5/Getting-Data-In/Weblogic-10-x-logs-for-datasource/m-p/25986#M4253 PeterChu 2020-09-28T18:16:02Z https://community.splunk.com/t5/Getting-Data-In/Weblogic-10-x-logs-for-datasource/m-p/25987#M4254 <P>I find something could be better.<BR /> The same way to change date format pattern on weblogic console log config<BR /> change it to yy/M/d HH':'mm':'ss like as 14/12/12 16:52:09</P> <P>Then Splunk can parse this pattern to _time default field correct.<BR /> So you can use _time to search and don't need to define a log_time field.</P> Mon, 28 Sep 2020 18:21:49 GMT https://community.splunk.com/t5/Getting-Data-In/Weblogic-10-x-logs-for-datasource/m-p/25987#M4254 PeterChu 2020-09-28T18:21:49Z