https://community.splunk.com/t5/Alerting/Oracle-alert-logs/m-p/582003#M13406 <P>Hola, lo conseguiste? como pudiste mandar el log de 'alert' a un índice? Tengo la aplicación&nbsp;<EM>Splunk_TA_oracle</EM> es un Heavy Forwarder pero no se como recibir datos. Me podrías indicar los pasos?</P><P>Muchas gracias y un saludo.</P> Fri, 21 Jan 2022 13:52:45 GMT talonso 2022-01-21T13:52:45Z https://community.splunk.com/t5/Alerting/Oracle-alert-logs/m-p/29292#M253 <P>I need to monitor Oracle alert logs and noticed that there are no pretrained sourcetypes for Oracle logs. Do I need to create a custom sourcetype? Can I add these logs to Splunk without defining the log format?</P> Tue, 06 Dec 2011 16:25:27 GMT https://community.splunk.com/t5/Alerting/Oracle-alert-logs/m-p/29292#M253 jonathan_lam 2011-12-06T16:25:27Z https://community.splunk.com/t5/Alerting/Oracle-alert-logs/m-p/29293#M254 <P>You could probably start indexing without too much hassle. You don't need to configure anything, but you could avoid a few problems down the line by ensuring that timestamps and sourcetypes are correct.</P> <P>First - create a dummy test index and upload an Oracle Alert file there to check the following:<BR /> are timestamps recognized correctly?<BR /> does splunk set a sourcetype name you can live with?</P> <P>If not, you'd need to fix this before you start to send the files to the production index.</P> <P>This is done in props.conf and inputs.conf, respectively. The inputs.conf deal with things happening during the input phase, so if you have any type of forwarder, you should edit the inputs.conf there. props.conf settings are handled in several phases, but timestamping settings should be configured on the forwarder only if you have a full forwarder. If you have UF or LWF, or no forwarder at all, this is configured on the indexer. </P> <P>Some of the following might help you;</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor">http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor</A></P> <P>hope this helps,</P> <P>Kristian</P> Wed, 07 Dec 2011 08:38:26 GMT https://community.splunk.com/t5/Alerting/Oracle-alert-logs/m-p/29293#M254 kristian_kolb 2011-12-07T08:38:26Z https://community.splunk.com/t5/Alerting/Oracle-alert-logs/m-p/29294#M255 <P>Thank you sir. I was able to set up the new sourcetype without any configuration to props.conf but will look into your recommendations.</P> Wed, 07 Dec 2011 14:31:32 GMT https://community.splunk.com/t5/Alerting/Oracle-alert-logs/m-p/29294#M255 jonathan_lam 2011-12-07T14:31:32Z https://community.splunk.com/t5/Alerting/Oracle-alert-logs/m-p/29295#M256 <P>Please mark the question as 'answered' by clicking the check mark (a/o vote up) if you've found this helpful.</P> <P>/k</P> Thu, 08 Dec 2011 08:23:45 GMT https://community.splunk.com/t5/Alerting/Oracle-alert-logs/m-p/29295#M256 kristian_kolb 2011-12-08T08:23:45Z https://community.splunk.com/t5/Alerting/Oracle-alert-logs/m-p/582003#M13406 <P>Hola, lo conseguiste? como pudiste mandar el log de 'alert' a un índice? Tengo la aplicación&nbsp;<EM>Splunk_TA_oracle</EM> es un Heavy Forwarder pero no se como recibir datos. Me podrías indicar los pasos?</P><P>Muchas gracias y un saludo.</P> Fri, 21 Jan 2022 13:52:45 GMT https://community.splunk.com/t5/Alerting/Oracle-alert-logs/m-p/582003#M13406 talonso 2022-01-21T13:52:45Z