<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to use Splunk to detect custom log pattern when using sleuth for traces? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-use-Splunk-to-detect-custom-log-pattern-when-using-sleuth/m-p/330043#M93422</link>
    <description>&lt;P&gt;I do not want to do it at request/search time as there will be a performance impact. I would like  to do it at index time so that searches are faster at search time.&lt;/P&gt;</description>
    <pubDate>Mon, 29 Jan 2018 15:28:50 GMT</pubDate>
    <dc:creator>volijaadu</dc:creator>
    <dc:date>2018-01-29T15:28:50Z</dc:date>
    <item>
      <title>How to use Splunk to detect custom log pattern when using sleuth for traces?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-use-Splunk-to-detect-custom-log-pattern-when-using-sleuth/m-p/330041#M93420</link>
      <description>&lt;P&gt;Sample log file output&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;2018-01-29 17:46:35.341  INFO [hello-service,ca62f5d265c65e37,ca62f5d265c65e37,true] 9404 ---  [  XNIO-2 task-1] io.undertow.servlet                       Initializing Spring FrameworkServlet 'dispatcherServlet'
2018-01-29 17:46:35.342  INFO [hello-service,ca62f5d265c65e37,ca62f5d265c65e37,true] 9404 ---  [  XNIO-2 task-1] o.s.web.servlet.DispatcherServlet         FrameworkServlet 'dispatcherServlet': initialization started
2018-01-29 17:46:35.456  INFO [hello-service,ca62f5d265c65e37,ca62f5d265c65e37,true] 9404 ---  [  XNIO-2 task-1] o.s.web.servlet.DispatcherServlet         FrameworkServlet 'dispatcherServlet': initialization completed in 114 ms
2018-01-29 17:46:35.523  INFO [hello-service,ca62f5d265c65e37,ca62f5d265c65e37,true] 9404 ---  [  XNIO-2 task-1] com.demo.services.web.Controller          Received request
2018-01-29 17:46:42.009  INFO [hello-service,f3f5b0389dcdd2e9,f3f5b0389dcdd2e9,false] 9404 ---  [  XNIO-2 task-2] com.demo.services.web.Controller          Received request
2018-01-29 17:46:46.534  INFO [hello-service,7f2fed9d81715a4e,7f2fed9d81715a4e,true] 9404 ---  [  XNIO-2 task-3] com.demo.services.web.Controller          Received request
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;STRONG&gt;LOG_PATTERN used in logback-spring.xml configuration file&lt;/STRONG&gt;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;    "%d{yyyy-MM-dd HH:mm:ss.SSS}
    ${LOG_LEVEL_PATTERN:-%5p} ${PID:- }
    [%15.15t] %-40.40logger{39}  %m%n${LOG_EXCEPTION_CONVERSION_WORD:-%wEx}"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I am using Spring Cloud Sleuth to generate the traceId in the logs using the above pattern in logback configuration.&lt;/P&gt;

&lt;P&gt;When I Import the log file to Splunk, I want Splunk to recognize the fields&lt;BR /&gt;
&lt;CODE&gt;timestamp,loglevel,[serviceId,traceId,segmentId,exportToZipkin),processId&lt;/CODE&gt; and so on corresponding to the pattern in the &lt;CODE&gt;LOG_PATTERN&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;I want Splunk to recognize because I intend to do aggregate searches in Splunk based on the &lt;CODE&gt;serviceId,traceId,segmentId&lt;/CODE&gt;fields logged in the file.&lt;/P&gt;

&lt;P&gt;Does Splunk automatically recognize this log pattern or is there a way to teach Splunk to recognize this format so as to enable it to index the new data accordingly, and to provide options to search by the respective fields.&lt;/P&gt;</description>
      <pubDate>Mon, 29 Jan 2018 13:03:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-use-Splunk-to-detect-custom-log-pattern-when-using-sleuth/m-p/330041#M93420</guid>
      <dc:creator>volijaadu</dc:creator>
      <dc:date>2018-01-29T13:03:19Z</dc:date>
    </item>
    <item>
      <title>Re: How to use Splunk to detect custom log pattern when using sleuth for traces?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-use-Splunk-to-detect-custom-log-pattern-when-using-sleuth/m-p/330042#M93421</link>
      <description>&lt;P&gt;Hi volijaadu,&lt;/P&gt;

&lt;P&gt;After indexing data you can use auto extractor of splunk or write an regex to extract required fields.&lt;BR /&gt;
Use this link to use splunk field extractor:&lt;BR /&gt;
&lt;A href="https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/FXSelectSamplestep"&gt;https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/FXSelectSamplestep&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 29 Jan 2018 14:10:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-use-Splunk-to-detect-custom-log-pattern-when-using-sleuth/m-p/330042#M93421</guid>
      <dc:creator>p_gurav</dc:creator>
      <dc:date>2018-01-29T14:10:31Z</dc:date>
    </item>
    <item>
      <title>Re: How to use Splunk to detect custom log pattern when using sleuth for traces?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-use-Splunk-to-detect-custom-log-pattern-when-using-sleuth/m-p/330043#M93422</link>
      <description>&lt;P&gt;I do not want to do it at request/search time as there will be a performance impact. I would like  to do it at index time so that searches are faster at search time.&lt;/P&gt;</description>
      <pubDate>Mon, 29 Jan 2018 15:28:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-use-Splunk-to-detect-custom-log-pattern-when-using-sleuth/m-p/330043#M93422</guid>
      <dc:creator>volijaadu</dc:creator>
      <dc:date>2018-01-29T15:28:50Z</dc:date>
    </item>
  </channel>
</rss>

