https://community.splunk.com/t5/Getting-Data-In/Detect-handle-parsing-error-and-log-format-change/m-p/289405#M55230 <P>Hi Giuseppe,</P> <P>Thank you, we will try this tips.</P> <P>Regards,<BR /> István</P> Fri, 13 Oct 2017 20:24:37 GMT ikulcsar 2017-10-13T20:24:37Z https://community.splunk.com/t5/Getting-Data-In/Detect-handle-parsing-error-and-log-format-change/m-p/289403#M55228 <P>Hi,</P> <P>I have been asked about log parsing and parser error detection in Splunk.</P> <P>The questions are: In general<BR /> - how can and should I detect parsing errors in Splunk? (New version of log source, etc without notification to Splunk admin, etc)<BR /> - how should I handle the new log format? There are already data in the index with the old source type. If I modify the sourcetype definitions, it will break the search time field extraction, is it? Clone and modify the source type?</P> <P>I don't find a guide or best practice in the docs...</P> <P>Thanks,<BR /> István</P> Fri, 06 Oct 2017 14:30:07 GMT https://community.splunk.com/t5/Getting-Data-In/Detect-handle-parsing-error-and-log-format-change/m-p/289403#M55228 ikulcsar 2017-10-06T14:30:07Z https://community.splunk.com/t5/Getting-Data-In/Detect-handle-parsing-error-and-log-format-change/m-p/289404#M55229 <P>Hi ikulcsar,<BR /> to answer to your questions:</P> <OL> <LI>you could detect parsing errors identifing, for each sourcetype) one or more fields with controlling values (e.g.: two or three fields with a limited number of values) that you can store in one or more lookups and periodically (e.g. one time a day) check; in other words you have identify a field, put all the correct values in a lookup and check if there are more values than the lookup, if there are maybe there's a parsing error to manually check.</LI> <LI>to check new sourcetypes, you could use the same method (put all the correct sourcetypes in a lookup an run a search).</LI> <LI>to handle the modified sourcetypes you could follow different solutions depending by your situation: a. create a new sourcetype for the modified logs and manage the situation using eventtypes (it's a good practice use eventypes in searches), b. modify extracted fields managing the new and old versions using coalesce funtion; in other words, for each field you maintain the old field extraction, you create a new one and you create a calculated field rule (eval my_field=coalesce(new_field,my_field) to manage the presence of two versions of the same field.</LI> </OL> <P>I hope to be helpful for you.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 16:12:23 GMT https://community.splunk.com/t5/Getting-Data-In/Detect-handle-parsing-error-and-log-format-change/m-p/289404#M55229 gcusello 2020-09-29T16:12:23Z https://community.splunk.com/t5/Getting-Data-In/Detect-handle-parsing-error-and-log-format-change/m-p/289405#M55230 <P>Hi Giuseppe,</P> <P>Thank you, we will try this tips.</P> <P>Regards,<BR /> István</P> Fri, 13 Oct 2017 20:24:37 GMT https://community.splunk.com/t5/Getting-Data-In/Detect-handle-parsing-error-and-log-format-change/m-p/289405#M55230 ikulcsar 2017-10-13T20:24:37Z