- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
micro focus Service Manager logs parsing
splunking4me
Explorer
11-04-2020
03:29 AM
Spoiler
Hi Everyone,
i want to parse the below custom Application logs, Need your help and advises.
12084( 14140) 11/02/2020 15:39:09 RTE I Base login Response: 0.999 -- RAD: 0.000 JS: 0.313 Log:0.000 Database: 0.686(00910) LDAP: 0.000 LoadBalancer: 0.000 (CPU 0.171) application:login,cleanup
12084( 14140) 11/02/2020 15:39:09 RTE I -Memory : S(4638608) O(809484) MAX(5448092) - MALLOC's Total(143004)
12084( 14140) 11/02/2020 15:39:08 RTE I User integration has logged in and is using a Named license ( 17 out of a maximum 50 )
12084( 14140) 11/02/2020 15:39:08 JRTE I GUID=b2125754-dcca-41a2-846f-f7783841fd8e
12084( 14140) 11/02/2020 15:39:08 RTE I SQL Server default schema is dbo
12084( 14140) 11/02/2020 15:39:08 RTE I MS SQL Server collation 'Arabic_100_CI_AS', varchar codepage 1256, comparison 196609: case insensitive, accent sensitive
12084( 14140) 11/02/2020 15:39:08 RTE I Connected to Data source 'SM' SQL server 'JUSTQQ-HPSQL01' version: 12.0.6329 through SQL driver version: 10.0.14393 using database 'SMPP' as user 'dbo'
12084( 14140) 11/02/2020 15:39:08 RTE I Connection established to dbtype 'sqlserver' database 'SM' user 'sm'
12084( 14140) 11/02/2020 15:39:08 RTE I API=SQLConnect
12084( 14140) 11/02/2020 15:39:08 RTE I Info: SQL State: 01000-5703 Message: [Microsoft][ODBC SQL Server Driver][SQL Server]Changed language setting to us_english.
12084( 14140) 11/02/2020 15:39:08 RTE I Info: SQL State: 01000-5701 Message: [Microsoft][ODBC SQL Server Driver][SQL Server]Changed database context to 'SMAPP'.
12084( 11436) 11/02/2020 15:39:08 JRTE I Webservice API session - Thread ID: 7C5ACF86B350A4A66FA0B58E083; Client IP: 192.168.1.1; session timeout: 45 seconds
12084( 14140) 11/02/2020 15:39:08 RTE I Total sessions since process began: 53144
12084( 14140) 11/02/2020 15:39:08 RTE I Thread 7C5ACF86B350A4A66FA795130B58E083 initialization done. Thread 1 of 50.
12084( 14140) 11/02/2020 15:39:08 RTE I Thread attaching to resources with key 0x61E13C00
12084( 14140) 11/02/2020 15:39:08 RTE I Host network address: 10.10.1.1
12084( 14140) 11/02/2020 15:39:08 RTE I Process sm 9.64.1003 (P1) System: 14080 (0x61E13C00) on PC (x64 64-bit) running Windows (6.2 Build 9200) Timezone GMT+03:00 Locale en_US from JUSTQR-SM01
12084( 14140) 11/02/2020 15:39:08 RTE I Using "utalloc" memory manager, mode [0]
12084( 11436) 11/02/2020 15:39:08 JRTE I Creating new worker thread 7C5ACF86B350A4A66FA0B58E083 t@52
9048( 19280) 11/02/2020 15:39:08 RAD I [INFO][urlCreator]: ====>https://xxxx.domain.com/src?ctx=docEngine&file=probsummary&query=number%3%22IM363572%22&action=&titl...
15984( 20140) 11/02/2020 15:39:07 RAD I [INFO][urlCreator]: ====>https://xxxx.domain.com/src?ctx=docEngine&file=probsummary&query=number%3%22IM363572%22&action=&titl...
15984( 20140) 11/02/2020 15:39:06 RAD I [INFO][urlCreator]: ====>https://xxxx.domain.com/src?ctx=docEngine&file=probsummary&query=number%3%22IM363572%22&action=&titl...
7440( 11732) 11/02/2020 15:39:05 RTE A Performance-7-$G.imAreas, Globallist $G.imAreas contains too many items! num=705 ; application(display), panel(show.rio)
7440( 11732) 11/02/2020 15:39:05 RTE A Performance-7-$G.imAreas.local, Globallist $G.imAreas.local contains too many items! num=705 ; application(display), panel(show.rio)
7440( 11732) 11/02/2020 15:39:05 RTE I -Memory : S(12882272) O(3118468) MAX(16000740) - MALLOC's Total(781539)
6984( 192) 11/02/2020 15:39:05 RAD I [INFO][urlCreator]: ====>https://xxxx.domain.com/src?ctx=docEngine&file=probsummary&query=number%3%22IM363572%22&action=&titl...
i want to parse the below custom Application logs, Need your help and advises.
12084( 14140) 11/02/2020 15:39:09 RTE I Base login Response: 0.999 -- RAD: 0.000 JS: 0.313 Log:0.000 Database: 0.686(00910) LDAP: 0.000 LoadBalancer: 0.000 (CPU 0.171) application:login,cleanup
12084( 14140) 11/02/2020 15:39:09 RTE I -Memory : S(4638608) O(809484) MAX(5448092) - MALLOC's Total(143004)
12084( 14140) 11/02/2020 15:39:08 RTE I User integration has logged in and is using a Named license ( 17 out of a maximum 50 )
12084( 14140) 11/02/2020 15:39:08 JRTE I GUID=b2125754-dcca-41a2-846f-f7783841fd8e
12084( 14140) 11/02/2020 15:39:08 RTE I SQL Server default schema is dbo
12084( 14140) 11/02/2020 15:39:08 RTE I MS SQL Server collation 'Arabic_100_CI_AS', varchar codepage 1256, comparison 196609: case insensitive, accent sensitive
12084( 14140) 11/02/2020 15:39:08 RTE I Connected to Data source 'SM' SQL server 'JUSTQQ-HPSQL01' version: 12.0.6329 through SQL driver version: 10.0.14393 using database 'SMPP' as user 'dbo'
12084( 14140) 11/02/2020 15:39:08 RTE I Connection established to dbtype 'sqlserver' database 'SM' user 'sm'
12084( 14140) 11/02/2020 15:39:08 RTE I API=SQLConnect
12084( 14140) 11/02/2020 15:39:08 RTE I Info: SQL State: 01000-5703 Message: [Microsoft][ODBC SQL Server Driver][SQL Server]Changed language setting to us_english.
12084( 14140) 11/02/2020 15:39:08 RTE I Info: SQL State: 01000-5701 Message: [Microsoft][ODBC SQL Server Driver][SQL Server]Changed database context to 'SMAPP'.
12084( 11436) 11/02/2020 15:39:08 JRTE I Webservice API session - Thread ID: 7C5ACF86B350A4A66FA0B58E083; Client IP: 192.168.1.1; session timeout: 45 seconds
12084( 14140) 11/02/2020 15:39:08 RTE I Total sessions since process began: 53144
12084( 14140) 11/02/2020 15:39:08 RTE I Thread 7C5ACF86B350A4A66FA795130B58E083 initialization done. Thread 1 of 50.
12084( 14140) 11/02/2020 15:39:08 RTE I Thread attaching to resources with key 0x61E13C00
12084( 14140) 11/02/2020 15:39:08 RTE I Host network address: 10.10.1.1
12084( 14140) 11/02/2020 15:39:08 RTE I Process sm 9.64.1003 (P1) System: 14080 (0x61E13C00) on PC (x64 64-bit) running Windows (6.2 Build 9200) Timezone GMT+03:00 Locale en_US from JUSTQR-SM01
12084( 14140) 11/02/2020 15:39:08 RTE I Using "utalloc" memory manager, mode [0]
12084( 11436) 11/02/2020 15:39:08 JRTE I Creating new worker thread 7C5ACF86B350A4A66FA0B58E083 t@52
9048( 19280) 11/02/2020 15:39:08 RAD I [INFO][urlCreator]: ====>https://xxxx.domain.com/src?ctx=docEngine&file=probsummary&query=number%3%22IM363572%22&action=&titl...
15984( 20140) 11/02/2020 15:39:07 RAD I [INFO][urlCreator]: ====>https://xxxx.domain.com/src?ctx=docEngine&file=probsummary&query=number%3%22IM363572%22&action=&titl...
15984( 20140) 11/02/2020 15:39:06 RAD I [INFO][urlCreator]: ====>https://xxxx.domain.com/src?ctx=docEngine&file=probsummary&query=number%3%22IM363572%22&action=&titl...
7440( 11732) 11/02/2020 15:39:05 RTE A Performance-7-$G.imAreas, Globallist $G.imAreas contains too many items! num=705 ; application(display), panel(show.rio)
7440( 11732) 11/02/2020 15:39:05 RTE A Performance-7-$G.imAreas.local, Globallist $G.imAreas.local contains too many items! num=705 ; application(display), panel(show.rio)
7440( 11732) 11/02/2020 15:39:05 RTE I -Memory : S(12882272) O(3118468) MAX(16000740) - MALLOC's Total(781539)
6984( 192) 11/02/2020 15:39:05 RAD I [INFO][urlCreator]: ====>https://xxxx.domain.com/src?ctx=docEngine&file=probsummary&query=number%3%22IM363572%22&action=&titl...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
11-04-2020
04:07 AM
from the Splunk GUI, you can create the search time field extractions..
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
11-04-2020
03:50 AM
Hi @splunking4me .. some more details are needed.
- do you have UF--HF--indexer or no HF?
- is the logs already ingested to splunk or not yet?
- by the word "parsing", you mean the "field extraction"?
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunking4me
Explorer
11-04-2020
03:59 AM
Hi inventsekar,
1. Yes HF is available
2. logs already ingested to splunk
3. yes i need field extraction with CIM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunking4me
Explorer
11-04-2020
06:05 AM
Hi,
i want to extract base on CIM
