Getting Data In

websphere startup entries

a212830
Champion

Hi,

I have a SystemOut.log from Websphere that needs to be indexed in Splunk. These logs all start with environmental information without a date, that I want to ignore. What's the best way to approach this?

The logfile starts with:

************ Start Display Current Environment ************
bunch of text without timestamps...
************* End Display Current Environment *************
[7/23/14 15:20:39:124 EDT] 00000056 SystemOut O Question Text is: When will withdrawals begin?
......

Also, I'm having issues with the timestamps. I have the following, but it's not working:

MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = 1
TIME_FORMAT= %m/%d/%y %H:%M:%S:%3N %Z
TIME_PREFIX = ^[
TRUNCATE = 999999
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\[\d{1-2}-\d{2}-\d{2}
KV_MODE=auto
ANNOTATE_PUNCT = false
Tags (2)
0 Karma

renems
Communicator

IBM's WebSphere is not exactly keen in sticking to the logging protocol, eh? 🙂 I heard a lot of splunk developers complaining about this at splunk.conf last year.
Anyway, luckily they solved it for us, with the sourcetype: "websphere_trlog_sysout". It handles the long headers and timestamps out of the box.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!