Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

HOw to import ODL files

kp_pl
Path Finder
‎03-13-2024 12:11 AM

Is Oracle Diagnostic Logging ( ODL) format supported in any way by Splunk ?
On the forum I have found only one topic regarding it but it had been written 8 years ago ?
This format, I read and analyze every day, is used by SOA and OSB diagnostic logs. It is, more or less, like csv structure but instead of tab/space/comma, each value is pakced into brakets

Below example with the short descrption


[2010-09-23T10:54:00.206-07:00] [soa_server1] [NOTIFICATION] [] [oracle.mds]
[tid: [STANDBY].ExecuteThread: '1' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: <anonymous>] [ecid: 0000I3K7DCnAhKB5JZ4Eyf19wAgN000001,0]
[APP: wsm-pm] "Metadata Services: Metadata archive (MAR) not found."


Timestamp, originating: 2010-09-23T10:54:00.206-07:00

Organization ID: soa_server1

Message Type: NOTIFICATION

Component ID: oracle.mds

Thread ID: tid: [STANDBY].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'

User ID: userId: <anonymous>

Execution Context ID: ecid: 0000I3K7DCnAhKB5JZ4Eyf19wAgN000001,0

Supplemental Attribute: APP: wsm-pm

Message Text: "Metadata Services: Metadata archive (MAR) not found."


Any solution, hints how to manage it in Splunk ?


regards
KP.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-13-2024 02:16 AM

You can parse this event with rex

https://regex101.com/r/eUputR/1

However, this assumes you have an empty / not required field for the 4th bracket pair, and that you don't have further nesting of bracketed sub-strings in the Thread ID

Reply

kp_pl
Path Finder
‎03-14-2024 05:12 AM

ITWhisperer - thanks for your answer  - fits perfect!  

Is the creation of own source-type difficult -  any hints, tutorials about it ?

 

KP

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...