Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Need to parse the data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to parse the data
Data:
[2013-03-17 23:48:23,472] [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO - TYPE=0;SEV=INFO;APPLID=LY.LL;ALERTKEY=LY.LL:mdb.personmaintenance.MaintainPerson:Maintain message;INCIDENT_GROUP=Loyalty Program;SUMMARY=<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
ns6:Date_Time2013-03-16T14:31:44.000000/ns6:Date_Time
ns6:UpdateSourceCW/ns6:UpdateSource
ns7:Person
ns7:FirstNameAndrea/ns7:FirstName
ns7:LastNameColocillo/ns7:LastName
ns7:DateOfBirth1978-02-17/ns7:DateOfBirth
ns7:GenderF/ns7:Gender
ns7:Aliases
/ns7:Aliases
ns7:LastUpdateDateTime2013-03-16T14:31:44.000000/ns7:LastUpdateDateTime
/ns7:Person
;CLASS=com.XXXXXXX.ly.ll.mdb.personmaintenance.MaintainPerson; -class com.XXXXXXX.ly.ll.mdb.personmaintenance.MaintainPerson
[2013-03-17 23:48:23,472] [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO - TYPE=0;SEV=INFO;APPLID=LY.LL;ALERTKEY=LY.LL:...rsonmaintenance.MaintainPerson:MaintainPerson OnMessage;INCIDENT_GROUP=Loyalty Program;SUMMARY=MaintainPerson OnMessage for debug id 146309729: took 100 milliseconds to complete;CLASS=com.XXXXXXX.ly.ll.mdb.personmaintenance.MaintainPerson; -class com.XXXXXXX.ly.ll.mdb.personmaintenance.MaintainPerson
[2013-03-17 23:48:23,475] [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO - TYPE=0;SEV=INFO;APPLID=LY.LL;ALERTKEY=LY.LL:mdb.personmaintenance.MaintainPerson:Maintain message;INCIDENT_GROUP=Loyalty Program;SUMMARY=<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
ns6:Date_Time2013-03-16T14:31:44.000000/ns6:Date_Time
ns6:UpdateSourceCW/ns6:UpdateSource
ns7:Person
ns7:FirstNameLEE/ns7:FirstName
ns7:MiddleNameR/ns7:MiddleName
ns7:LastNameCHRISTMANN/ns7:LastName
ns7:DateOfBirth1959-11-04/ns7:DateOfBirth
ns7:GenderM/ns7:Gender
ns7:Aliases
/ns7:Aliases
ns7:LastUpdateDateTime2013-03-16T14:31:44.000000/ns7:LastUpdateDateTime
/ns7:Person
;CLASS=com.XXXXXXX.ly.ll.mdb.personmaintenance.MaintainPerson; -class com.XXXXXXX.ly.ll.mdb.personmaintenance.MaintainPerson
data needs to be break the event whenver [2013-03-17 23:48:23,472] [[ACTIVE] occurs
Source type i used :
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = true
TIME_FORMAT = ^[%Y-%m-%d %H:%M:%S,%3N^]
TIME_PREFIX = ^[
BREAK_LINE_BEFORE = ^[
pulldown_type=1
But it is not breaking me properly . I ma new to splunk. Please provide me the link for 'how to parse the data'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think these links should help you:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Indexmulti-lineevents
http://splunk-base.splunk.com/apps/72283/splunk-for-oracle-weblogic-server
I would suggest:
TIME_FORMAT = ^[%Y-%m-%d %H:%M:%S,%3N^]
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = true
MAX_TIMESTAMP_LOOKAHEAD = 30
I removed the time_prefix because it would skip the regular expression before starting to try and match a date. So to me, your time_prefix doesn't seem correct with your time_format. That BREAK_LINE_BEFORE doesn't seem to be a valid keyword, it should be BREAK_ONLY_BEFORE.
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
