Solved: Re: Oracle alert logs

jonathan_lam · ‎12-06-2011

I need to monitor Oracle alert logs and noticed that there are no pretrained sourcetypes for Oracle logs. Do I need to create a custom sourcetype? Can I add these logs to Splunk without defining the log format?

kristian_kolb · ‎12-07-2011

You could probably start indexing without too much hassle. You don't need to configure anything, but you could avoid a few problems down the line by ensuring that timestamps and sourcetypes are correct.

First - create a dummy test index and upload an Oracle Alert file there to check the following:
are timestamps recognized correctly?
does splunk set a sourcetype name you can live with?

If not, you'd need to fix this before you start to send the files to the production index.

This is done in props.conf and inputs.conf, respectively. The inputs.conf deal with things happening during the input phase, so if you have any type of forwarder, you should edit the inputs.conf there. props.conf settings are handled in several phases, but timestamping settings should be configured on the forwarder only if you have a full forwarder. If you have UF or LWF, or no forwarder at all, this is configured on the indexer.

Some of the following might help you;

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor

hope this helps,

Kristian

View solution in original post

talonso · ‎01-21-2022

Hola, lo conseguiste? como pudiste mandar el log de 'alert' a un índice? Tengo la aplicación Splunk_TA_oracle es un Heavy Forwarder pero no se como recibir datos. Me podrías indicar los pasos?

Muchas gracias y un saludo.

kristian_kolb · ‎12-07-2011

You could probably start indexing without too much hassle. You don't need to configure anything, but you could avoid a few problems down the line by ensuring that timestamps and sourcetypes are correct.

First - create a dummy test index and upload an Oracle Alert file there to check the following:
are timestamps recognized correctly?
does splunk set a sourcetype name you can live with?

If not, you'd need to fix this before you start to send the files to the production index.

This is done in props.conf and inputs.conf, respectively. The inputs.conf deal with things happening during the input phase, so if you have any type of forwarder, you should edit the inputs.conf there. props.conf settings are handled in several phases, but timestamping settings should be configured on the forwarder only if you have a full forwarder. If you have UF or LWF, or no forwarder at all, this is configured on the indexer.

Some of the following might help you;

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor

hope this helps,

Kristian

kristian_kolb · ‎12-08-2011

Please mark the question as 'answered' by clicking the check mark (a/o vote up) if you've found this helpful.

/k

jonathan_lam · ‎12-07-2011

Thank you sir. I was able to set up the new sourcetype without any configuration to props.conf but will look into your recommendations.

Oracle alert logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation