All Apps and Add-ons

Correctly format Oracle logs in Apache Log4j

Path Finder

So I am attempting to perform some data hygiene maintenance on our environment, and one of the things I am doing is cleaning up Coldfusion logs. I have given the Coldfusion logs a sourcetype of log4j, which works mostly, but I found an odd issue in one of our application.log files. The log4j does not correctly format Oracle logs, so I end up with all the lines mixed into a mess, but it works for other errors.


"Error","jrpp-328","11/10/17","16:54:48",,"File not found: /path/index.cfm The specific sequence of files included or processed is: D:\inetpub\wwwroot\path\path\index.cfm'' "

"Error","jrpp-328","11/10/17","16:51:30",,"Type: Database, Detail: [Macromedia][Oracle JDBC Driver][Oracle]ORA-00980: synonym translation is no longer valid , SQL: SELECT [redacted] FROM [redacted] JOIN [redacted] ON pe.strm = pc.strm AND pe.sessioncode = [redacted] AND pe.classnbr = pc.classnbr WHERE pc.location <> 'WEB' AND [redacted] = (param 1) AND [redacted] = 'E' AND pe.strm = (param 2) , Stack trace: coldfusion.tagext.sql.QueryTag$DatabaseQueryException: Error Executing Database Query. at coldfusion.tagext.sql.QueryTag.doEndTag( at cf[redacted]2ecfc628081670$func[redacted].runFunction(D:\inetpub\wwwroot\path\path\cfc[redacted].cfc:69) at coldfusion.runtime.UDFMethod.invoke( at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke( at coldfusion.filter.FunctionAccessFilter.invoke( at coldfusion.runtime.UDFMethod.runFilterChain( at coldfusion.runtime.UDFMethod.invoke( at coldfusion.runtime.CfJspPage.invokeUDF( ...

Is there a way to fix this in the props.conf or the transform.conf or inputs.conf, or it is just going to be a mess?


0 Karma

Re: Correctly format Oracle logs in Apache Log4j

Splunk Employee
Splunk Employee
I'd do the following in props.conf:

Based on your sample, that should break events correctly. If not, can u paste more sample events?
0 Karma