Archive

log4j real use case

Contributor

I have a log file generated by log4j program and put it into splunk using sourcetype=log4j. Basically, I would like ro see splunk can help me to do some analysis or drawing charts based on the log. One of the sample row:

2012-05-10 08:55:31,372 DEBUG ([ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)') (userid|menucode) - DATARETTIME~CACHE~submenu~1~productid

Splunk identified the first column as the event time. How can I tell splunk to do some aggregration based on userid, menucode, or product_id?

One way I can think of is to create a new sourcetype with customized regular expression. If that's the case, I would like to know when should I use log4j as a sourcetype.

Tags (1)
0 Karma
1 Solution

Ultra Champion

You can create a search time field extraction for those 3 fields.
This extraction could either be specified in line using the "rex" command or saved in props.conf(manually or via splunk web) using the EXTRACT keyword in a sourcetype stanza.

Based on the supplied example log event in your question(a few assumptions have been made about the format of the 3 fields to extract) , try this :

... | rex field=_raw "\((?<user_id>\w+)\|(?<menu_code>\w+)\).+~(?<product_id>\w+)$" | stats count by user_id, menu_code, product_id

View solution in original post

Ultra Champion

You can create a search time field extraction for those 3 fields.
This extraction could either be specified in line using the "rex" command or saved in props.conf(manually or via splunk web) using the EXTRACT keyword in a sourcetype stanza.

Based on the supplied example log event in your question(a few assumptions have been made about the format of the 3 fields to extract) , try this :

... | rex field=_raw "\((?<user_id>\w+)\|(?<menu_code>\w+)\).+~(?<product_id>\w+)$" | stats count by user_id, menu_code, product_id

View solution in original post

Ultra Champion

You can define a search time field extraction(inline extraction) in props.conf using the EXTRACT keyword :

http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf

You can edit the props.conf file directly or setup an "inline" extraction in the Splunk Manager UI :
Manager » Fields » Field extractions

0 Karma

Builder

if i use rex command and login/logout would those fields will be persistent ? and saved ? how to make those fields persistent without each time call the command rex

0 Karma

Contributor

Good answer!

Can you also show how to use the variable of field valuse based on the searching you provided?

It will be great if the result can be in a chart using the same example.

Thank you!

0 Karma