Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk support for XML log files written by System.Diagnostics.EventSchemaTraceListener

fruts
New Member
‎01-29-2013 04:54 AM

Hi

from our ASP.NET MVC application we write XML log files in the event schema format by a trace listener contained in the .NET framework (System.Diagnostics.EventSchemaTraceListener from System.Core dll). Pretty standard in the .NET micro-cosmos...

I'm wondering if and how Splunk can handle this kind of (standard Windows) event schema? The trick is the "correlation" between related activities. This way I can group activities and sub-activities not only from a technical perspective but also from a business perspective (e.g. to log the whole business process). This is a sample "event" where the correlation come into play:

<![CDATA[



0
8
16


LABS00026


StopLogicalActivity


Information
Transfer


]]>

(1) First the configuration questions:

Does Splunk "understand" this kind of XML format out-of-the-box?
How to configure the "Data input"?

(2) Second the Search questions:

How can we query all messages from a logical activity?
And how to query all related (sub-) activities with the "parent" correlation token?

Thanks in advance.

Kindly, Stefan

0 Karma
Reply

DaveSavage
Builder
‎01-29-2013 05:55 AM

Stefan, I haven't seen specific .net plug-ins (though clearly there is a potential following ;-), but Splunk will index your logs ok. Search xml in the splunk base for more. The following shows a few tweeks you may need to consider within the inputs. conf and props files using whitelists.
I'd be interested to see how it went...let us know.
Br
D

http://splunk-base.splunk.com/answers/7275/index-xml-log-files

0 Karma
Reply

fruts
New Member
‎01-29-2013 06:06 AM

D

Tnx. Just to make it clear: The event schema is not .NET specific at all. It's the standard Windows Event Log format. See "Event Schema (Windows)" on MSDN for instance: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385201

Stefan

0 Karma
Reply

DaveSavage
Builder
‎01-29-2013 05:57 AM

I should add - xml with the tag data makes it eminently usable within Splunk, so less issues in respect of field identification even if you have to use regexes.

0 Karma
Reply

fruts
New Member
‎01-29-2013 05:18 AM

Because the Splunkbase tool breaks the XML data, I add a screenshot of the sample event:
alt text

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...