Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Oracle alert logs

jonathan_lam
Explorer
‎12-06-2011 08:25 AM

I need to monitor Oracle alert logs and noticed that there are no pretrained sourcetypes for Oracle logs. Do I need to create a custom sourcetype? Can I add these logs to Splunk without defining the log format?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎12-07-2011 12:38 AM

You could probably start indexing without too much hassle. You don't need to configure anything, but you could avoid a few problems down the line by ensuring that timestamps and sourcetypes are correct.

First - create a dummy test index and upload an Oracle Alert file there to check the following:
are timestamps recognized correctly?
does splunk set a sourcetype name you can live with?

If not, you'd need to fix this before you start to send the files to the production index.

This is done in props.conf and inputs.conf, respectively. The inputs.conf deal with things happening during the input phase, so if you have any type of forwarder, you should edit the inputs.conf there. props.conf settings are handled in several phases, but timestamping settings should be configured on the forwarder only if you have a full forwarder. If you have UF or LWF, or no forwarder at all, this is configured on the indexer.

Some of the following might help you;

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor

hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution

talonso
Loves-to-Learn Lots
‎01-21-2022 05:52 AM

Hola, lo conseguiste? como pudiste mandar el log de 'alert' a un índice? Tengo la aplicación Splunk_TA_oracle es un Heavy Forwarder pero no se como recibir datos. Me podrías indicar los pasos?

Muchas gracias y un saludo.

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎12-07-2011 12:38 AM

You could probably start indexing without too much hassle. You don't need to configure anything, but you could avoid a few problems down the line by ensuring that timestamps and sourcetypes are correct.

First - create a dummy test index and upload an Oracle Alert file there to check the following:
are timestamps recognized correctly?
does splunk set a sourcetype name you can live with?

If not, you'd need to fix this before you start to send the files to the production index.

This is done in props.conf and inputs.conf, respectively. The inputs.conf deal with things happening during the input phase, so if you have any type of forwarder, you should edit the inputs.conf there. props.conf settings are handled in several phases, but timestamping settings should be configured on the forwarder only if you have a full forwarder. If you have UF or LWF, or no forwarder at all, this is configured on the indexer.

Some of the following might help you;

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor

hope this helps,

Kristian

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎12-08-2011 12:23 AM

Please mark the question as 'answered' by clicking the check mark (a/o vote up) if you've found this helpful.

/k

0 Karma
Reply
Solved! Jump to solution

jonathan_lam
Explorer
‎12-07-2011 06:31 AM

Thank you sir. I was able to set up the new sourcetype without any configuration to props.conf but will look into your recommendations.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...