https://community.splunk.com/t5/Splunk-Search/PHP-error-auto-extraction-not-working/m-p/173110#M49651 <P>PHP error logs are not part of the pre-trained sourcetypes, per <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Listofpretrainedsourcetypes" target="_blank">this documentation</A>.<BR /> Fields will only be auto-extracted for self-describing log formats, like key=value, json or XML, for example.</P> <P>If you want fields extracted, you will have to configure field extraction for each of the log formats you will see from your servers. You could create two sourcetypes (php_error_fmt1, php_error_fmt2) and then just search for sourcetype=php_error_fmt* to search across both formats.</P> <P>You can create your field extractions either <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles" target="_blank">via configuration files</A>, or by using the <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/ExtractfieldsinteractivelywithIFX" target="_blank">interactive field extractor</A> in the UI.</P> Tue, 29 Sep 2020 06:58:17 GMT s2_splunk 2020-09-29T06:58:17Z https://community.splunk.com/t5/Splunk-Search/PHP-error-auto-extraction-not-working/m-p/173108#M49649 <P>Hello,</P> <P>I have set up two servers forwarding php error logs to Splunk. The souretype is set to log4php but the field auto extraction is not working.</P> <P>These are what Splunk gives me:</P> <PRE><CODE># date_hour 2 # date_mday 1 # date_minute 2 a date_month 1 # date_second 3 a date_wday 1 # date_year 1 a date_zone 2 a index 1 # linecount 2 a punct 3 a splunk_server 1 # timeendpos 2 # timestartpos 2 </CODE></PRE> <P>Both servers have a slightly different log format:</P> <P>Server 1</P> <PRE><CODE>[13-Aug-2015 10:16:40 UTC] PHP Notice: Use of undefined constant gdfgdg - assumed 'gdfgdg' in /srv/users/serverpilot/apps/gibhershop2/public/test.php on line 6 </CODE></PRE> <P>Server 2</P> <PRE><CODE>[Thu Aug 13 11:36:09.160891 2015] [:error] [pid 1823] [client 141.101.98.217:23987] PHP Parse error: syntax error, unexpected '!' in /var/www/gsysmp/err.php on line 3 </CODE></PRE> <HR /> <P>Edit<BR /> The fields I want are:</P> <P>Server 1</P> <P>PHP error type, in the example that's <STRONG>PHP Notice</STRONG>, but could be PHP Error: etc.<BR /> The actual error message, in the example <STRONG>Use of undefined constant gdfgdg - assumed 'gdfgdg'</STRONG> - so that's from the ':' of the error type up to 'in /path....'<BR /> The error location, so the path and line number: <STRONG>/srv/users/serverpilot/apps/gibhershop2/public/test.php on line 6</STRONG></P> <P>Server 2</P> <P>PHP error type: [:<STRONG>error</STRONG>], again this might have other values such as warning or notice.<BR /> Error message: <STRONG>PHP Parse error: syntax error, unexpected '!'</STRONG><BR /> Error location: <STRONG>/var/www/gsysmp/err.php on line 3</STRONG></P> <HR /> <P>Am I doing something wrong? Does anyone have some good searches set up for dealing with this type of log if Splunk doesn't auto extract the fields well?</P> <P>Thanks</P> <P>Ric</P> Thu, 13 Aug 2015 10:58:59 GMT https://community.splunk.com/t5/Splunk-Search/PHP-error-auto-extraction-not-working/m-p/173108#M49649 BWRic 2015-08-13T10:58:59Z https://community.splunk.com/t5/Splunk-Search/PHP-error-auto-extraction-not-working/m-p/173109#M49650 <P>If you will explain in each of these logs what fields are supposed to be created where, I will show you a command string that creates them.</P> Thu, 13 Aug 2015 18:00:29 GMT https://community.splunk.com/t5/Splunk-Search/PHP-error-auto-extraction-not-working/m-p/173109#M49650 woodcock 2015-08-13T18:00:29Z https://community.splunk.com/t5/Splunk-Search/PHP-error-auto-extraction-not-working/m-p/173110#M49651 <P>PHP error logs are not part of the pre-trained sourcetypes, per <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Listofpretrainedsourcetypes" target="_blank">this documentation</A>.<BR /> Fields will only be auto-extracted for self-describing log formats, like key=value, json or XML, for example.</P> <P>If you want fields extracted, you will have to configure field extraction for each of the log formats you will see from your servers. You could create two sourcetypes (php_error_fmt1, php_error_fmt2) and then just search for sourcetype=php_error_fmt* to search across both formats.</P> <P>You can create your field extractions either <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles" target="_blank">via configuration files</A>, or by using the <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/ExtractfieldsinteractivelywithIFX" target="_blank">interactive field extractor</A> in the UI.</P> Tue, 29 Sep 2020 06:58:17 GMT https://community.splunk.com/t5/Splunk-Search/PHP-error-auto-extraction-not-working/m-p/173110#M49651 s2_splunk 2020-09-29T06:58:17Z https://community.splunk.com/t5/Splunk-Search/PHP-error-auto-extraction-not-working/m-p/173111#M49652 <P>@woodcock, thanks, I have updated my answer with the fields I'd like</P> Fri, 14 Aug 2015 08:18:13 GMT https://community.splunk.com/t5/Splunk-Search/PHP-error-auto-extraction-not-working/m-p/173111#M49652 BWRic 2015-08-14T08:18:13Z https://community.splunk.com/t5/Splunk-Search/PHP-error-auto-extraction-not-working/m-p/173112#M49653 <P>OK, try this:</P> <PRE><CODE>... | rex ".*\](?&lt;PHP_Error_Type&gt;[^:]+):\s*(?&lt;PHP_Error_Message&gt;.*)\s+in\s+(?&lt;PHP_Error_Location&gt;.*)" </CODE></PRE> Fri, 14 Aug 2015 14:48:48 GMT https://community.splunk.com/t5/Splunk-Search/PHP-error-auto-extraction-not-working/m-p/173112#M49653 woodcock 2015-08-14T14:48:48Z