Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

HOw to import ODL files

kp_pl
Path Finder
‎03-13-2024 12:11 AM

Is Oracle Diagnostic Logging ( ODL) format supported in any way by Splunk ?
On the forum I have found only one topic regarding it but it had been written 8 years ago ?
This format, I read and analyze every day, is used by SOA and OSB diagnostic logs. It is, more or less, like csv structure but instead of tab/space/comma, each value is pakced into brakets

Below example with the short descrption


[2010-09-23T10:54:00.206-07:00] [soa_server1] [NOTIFICATION] [] [oracle.mds]
[tid: [STANDBY].ExecuteThread: '1' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: <anonymous>] [ecid: 0000I3K7DCnAhKB5JZ4Eyf19wAgN000001,0]
[APP: wsm-pm] "Metadata Services: Metadata archive (MAR) not found."


Timestamp, originating: 2010-09-23T10:54:00.206-07:00

Organization ID: soa_server1

Message Type: NOTIFICATION

Component ID: oracle.mds

Thread ID: tid: [STANDBY].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'

User ID: userId: <anonymous>

Execution Context ID: ecid: 0000I3K7DCnAhKB5JZ4Eyf19wAgN000001,0

Supplemental Attribute: APP: wsm-pm

Message Text: "Metadata Services: Metadata archive (MAR) not found."


Any solution, hints how to manage it in Splunk ?


regards
KP.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2024 02:16 AM

You can parse this event with rex

https://regex101.com/r/eUputR/1

However, this assumes you have an empty / not required field for the 4th bracket pair, and that you don't have further nesting of bracketed sub-strings in the Thread ID

Reply

kp_pl
Path Finder
‎03-14-2024 05:12 AM

ITWhisperer - thanks for your answer  - fits perfect!  

Is the creation of own source-type difficult -  any hints, tutorials about it ?

 

KP

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...