https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12509#M1030 <P>The optimal log format is - </P> <P>timestamp key=value key=value key=value key=value key=value key=value key=value key=value </P> <P>You can have other delimiters in there too like , or : but that's pretty much a personal preference. If the keys and values are easily recognizable, Splunk will index and search as fast as you can write it out.</P> Thu, 29 Apr 2010 04:28:19 GMT Mick 2010-04-29T04:28:19Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12508#M1029 <P>I intend modify my app/script so that it will write out a completely custom log file format for Splunk to monitor and index in real-time.</P> <P>What is the best, most optimal format to use for my custom log event such that Splunk automatically extracts ALL of my fields and the timestamp and I do not have to setup or configure any field extractions myself.</P> Thu, 29 Apr 2010 03:45:56 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12508#M1029 maverick 2010-04-29T03:45:56Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12509#M1030 <P>The optimal log format is - </P> <P>timestamp key=value key=value key=value key=value key=value key=value key=value key=value </P> <P>You can have other delimiters in there too like , or : but that's pretty much a personal preference. If the keys and values are easily recognizable, Splunk will index and search as fast as you can write it out.</P> Thu, 29 Apr 2010 04:28:19 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12509#M1030 Mick 2010-04-29T04:28:19Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12510#M1031 <P>Hello Mick. Could you share a log format example? What is the timestamp format?</P> Thu, 14 Apr 2011 02:08:53 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12510#M1031 juansh2809 2011-04-14T02:08:53Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12511#M1032 <P>Something like this:</P> <P>Generic Example:</P> <P>[Timestamp] Hostname HostIP=IPaddress Service=ServiceName ClientIP=IPaddress SrcPor=port# DestPort=port# UID=value Stuff=blah Morestuff=blahblah</P> <P>Specific Example:</P> <P>May 26 18:14:15 myhostname HostIP=10.5.10.2 Service=CustomLogger ClientIP=75.149.38.65 SrcPort=80 DestPort=8080 UID=10534 ImportantValue=Be9r87 AnotherImportantValue=310984</P> Tue, 31 May 2011 23:18:38 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12511#M1032 MillerTime 2011-05-31T23:18:38Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12512#M1033 <P>The time stamp should be in ISO8601 form - i.e. variants of YYYY-MM-DD HH:MM:SS.mmm TZ DST.</P> <P>Example: 2011-10-24 14:04:02 +0200 DST</P> <P>If you do not want (or need) the time zone of Daylight Savings Time designators - these may be omitted.</P> Mon, 24 Oct 2011 09:08:46 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12512#M1033 RubenOlsen 2011-10-24T09:08:46Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12513#M1034 <P>What if you want log sql commands like this:</P> <P>Example:</P> <P>May 26 18:14:15 myhostname DBIP=10.5.10.2 Service=OracleXE ClientIP=75.149.38.65 SrcPort=80 DestPort=8080 UID=10534 <STRONG>Sql_Text=Select * from Table1 where uname="dummy"</STRONG></P> <P>As you can see <EM>timestamp key=value key=value key=value ...</EM> in this example is not good and <STRONG>,</STRONG> or <STRONG>:</STRONG> is not good delimiters because all of this delimiters can be in sql commands which cause broken extract fields.</P> Mon, 24 Oct 2011 20:01:29 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12513#M1034 pero1234 2011-10-24T20:01:29Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12514#M1035 <P>There are several ways to deal with the <STRONG>Sql_Text=Select * from Table1 where uname="dummy"</STRONG></P> <P>One way which will work if the Sql_Text=something is at the end of a log event is to use filed extractions (i.e. EXTRACT) in the props.conf file:</P> <BLOCKQUOTE> <P>EXTRACT-Sql_Text = Sql_Text=(?<SQL_TEXT>.+)$</SQL_TEXT></P> </BLOCKQUOTE> <P>You could even do this directly in the search app without using the props.conf stuff. The following should give you a list with the count of the 10 most used Sql_Text expression grouped by the ClientIP field:</P> <BLOCKQUOTE> <P>* | rex field=_raw " Sql_Text=(?&lt;SqlText&gt;.+)$" | stats count ClientIP, SqlText | sort 10 -count</P> </BLOCKQUOTE> Mon, 28 Sep 2020 10:00:58 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12514#M1035 RubenOlsen 2020-09-28T10:00:58Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12515#M1036 <P>I use:</P> <BLOCKQUOTE> <P>key="value" || key="value" || key="value"</P> </BLOCKQUOTE> <P>My props.conf looks like this:</P> <BLOCKQUOTE> <P>[my_sourcetype]<BR /> KV_MODE = none<BR /> REPORT-event = my_sourcetype_event</P> </BLOCKQUOTE> <P>My transforms.conf looks like this:</P> <BLOCKQUOTE> <P>[my_sourcetype_event]<BR /> MV_ADD = true<BR /> KEEP_EMPTY_VALS = true<BR /> REGEX = ([^=(\s+\|\|\s+)]*?)\s*\=\s*(.)((?:[^\2]|[^=])*?)\2+?(?:\s+\|\|\s+|$)<BR /> FORMAT = $1::$3</P> </BLOCKQUOTE> <P>My events look like this:</P> <BLOCKQUOTE> <P>timestamp="2012-02-24 17:39:19 -0800 (PST)" || type="php" || message="my message" || variables_type="Warning" || variables_message="blah" || variables_function="sure" || variables_file="file.php" || variables_line="958" || severity="error" || user_uid="1212" || user_language="fr" || user_ctry_cd="AX" || user_name="nada" || user_init="124124" || user_is_employee="no" || request_uri="<A href="http://foo.com/sure">http://foo.com/sure</A>" || referer="<A href="http://bar.com/foo">http://bar.com/foo</A>" || ip="10.10.10.10" || message_id="6"</P> </BLOCKQUOTE> <P>The regex I made is pretty cool. It'll let you do:</P> <BLOCKQUOTE> <P>key=[any character]valuebla[any character]hvalue[any character] ||</P> </BLOCKQUOTE> <P>For example:</P> <BLOCKQUOTE> <P>dog="spot" ||<BR /> alien='zonk' ||<BR /> fruit=^apple^ ||<BR /> broken=#not#brok#en# ||<BR /> horriblekey="imnothorrible="yesyouare" ishouldbemyownfield="wellyouwont" i="give="up""" ||</P> </BLOCKQUOTE> Sat, 25 Feb 2012 07:34:11 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12515#M1036 tcperkin 2012-02-25T07:34:11Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12516#M1037 <P>Your transforms.conf worked amazing for me. All I had to do was format my source events like yours. Thank you!</P> Thu, 07 May 2015 18:57:09 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-custom-log-event-format-for-Splunk-to-eat/m-p/12516#M1037 joshualarkins 2015-05-07T18:57:09Z