Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

HOw to import ODL files

kp_pl
Path Finder
‎03-13-2024 12:11 AM

Is Oracle Diagnostic Logging ( ODL) format supported in any way by Splunk ?
On the forum I have found only one topic regarding it but it had been written 8 years ago ?
This format, I read and analyze every day, is used by SOA and OSB diagnostic logs. It is, more or less, like csv structure but instead of tab/space/comma, each value is pakced into brakets

Below example with the short descrption


[2010-09-23T10:54:00.206-07:00] [soa_server1] [NOTIFICATION] [] [oracle.mds]
[tid: [STANDBY].ExecuteThread: '1' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: <anonymous>] [ecid: 0000I3K7DCnAhKB5JZ4Eyf19wAgN000001,0]
[APP: wsm-pm] "Metadata Services: Metadata archive (MAR) not found."


Timestamp, originating: 2010-09-23T10:54:00.206-07:00

Organization ID: soa_server1

Message Type: NOTIFICATION

Component ID: oracle.mds

Thread ID: tid: [STANDBY].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'

User ID: userId: <anonymous>

Execution Context ID: ecid: 0000I3K7DCnAhKB5JZ4Eyf19wAgN000001,0

Supplemental Attribute: APP: wsm-pm

Message Text: "Metadata Services: Metadata archive (MAR) not found."


Any solution, hints how to manage it in Splunk ?


regards
KP.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2024 02:16 AM

You can parse this event with rex

https://regex101.com/r/eUputR/1

However, this assumes you have an empty / not required field for the 4th bracket pair, and that you don't have further nesting of bracketed sub-strings in the Thread ID

Reply

kp_pl
Path Finder
‎03-14-2024 05:12 AM

ITWhisperer - thanks for your answer  - fits perfect!  

Is the creation of own source-type difficult -  any hints, tutorials about it ?

 

KP

 

 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...