Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

HOw to import ODL files

kp_pl
Path Finder
‎03-13-2024 12:11 AM

Is Oracle Diagnostic Logging ( ODL) format supported in any way by Splunk ?
On the forum I have found only one topic regarding it but it had been written 8 years ago ?
This format, I read and analyze every day, is used by SOA and OSB diagnostic logs. It is, more or less, like csv structure but instead of tab/space/comma, each value is pakced into brakets

Below example with the short descrption


[2010-09-23T10:54:00.206-07:00] [soa_server1] [NOTIFICATION] [] [oracle.mds]
[tid: [STANDBY].ExecuteThread: '1' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: <anonymous>] [ecid: 0000I3K7DCnAhKB5JZ4Eyf19wAgN000001,0]
[APP: wsm-pm] "Metadata Services: Metadata archive (MAR) not found."


Timestamp, originating: 2010-09-23T10:54:00.206-07:00

Organization ID: soa_server1

Message Type: NOTIFICATION

Component ID: oracle.mds

Thread ID: tid: [STANDBY].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'

User ID: userId: <anonymous>

Execution Context ID: ecid: 0000I3K7DCnAhKB5JZ4Eyf19wAgN000001,0

Supplemental Attribute: APP: wsm-pm

Message Text: "Metadata Services: Metadata archive (MAR) not found."


Any solution, hints how to manage it in Splunk ?


regards
KP.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2024 02:16 AM

You can parse this event with rex

https://regex101.com/r/eUputR/1

However, this assumes you have an empty / not required field for the 4th bracket pair, and that you don't have further nesting of bracketed sub-strings in the Thread ID

Reply

kp_pl
Path Finder
‎03-14-2024 05:12 AM

ITWhisperer - thanks for your answer  - fits perfect!  

Is the creation of own source-type difficult -  any hints, tutorials about it ?

 

KP

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...