All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to break fileds in tomcat logs

alok_nashikkar
New Member
‎02-05-2014 11:11 PM

I want to break tomcat logs into separate fields based on search criteria but I am not able to acheieve that. My tomcat logs looks something like this:

WARN 2014-02-05 08:00:01,924 http-bio-6080-exec-251|D-abc D-abc U-0 S-b59a4a1e-d388-57a197cabd76 R-UvHm.xyz.ui.web.servlet.download.LocalCloudGetInternalServlet - LocalCloudGetInternalServlet- doGet(): /Sed/Depts/8175 A/1305120_10.avi

I have to filer as caterogy WARN/INFO and also according to domain name mentioned as D-"xyz",filename mentioned as /Sed/Depts/8175 A/1305120_10.avi.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎02-06-2014 03:48 AM

You can try it out in a search with rex like so;

... | rex "^(?<log_level>[A-Z]+)" | rex "\|(?<domain>\S+)" | rex ":(?<filename>\S+)$"

If this works out well, you can make them more permanent adding the configurations to props.conf;

[your_sourcetype]
EXTRACT-log_level = ^(?<log_level>[A-Z]+)
EXTRACT-domain = \|(?<domain>\S+)
EXTRACT-file = :(?<filename>\S+)$

/k

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...