Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

1st report - breaking out fields, etc

lancealotx
Explorer
‎05-09-2012 07:52 AM

ok, I have my data flowing in hourly and pleased with how it's going. I now want to get into some reporting, etc. I am looking at a specific logfile that get's written, a sample string looks like this;

"INFO"|"httpSSLWorkerThread-8080-13"|"2012-05-09 09:59:59.584 EDT"|"ServiceType"|"ServiceDesc"|"20"|"0"|"76.123.70.236"|"84e778ae-fe8e-4b8f-8d33-6bc88967a2b1"|"bdae358a67b051cf0daqwdqwdwqd1ad"|"1"|"-1"|""|""|"36"|""|""|""|""|""|""|""|""|""

So, right now I simply want to run a daily report that shows the amount of traffic/events, and use the bold "20" in the above example as a value to graph (which is the response time). I'm sure the response I get will answer a lot of future questions which will be similar, the string is always the same so I am just assuming I need to define that string, name the fields what they are, etc.

is there a simple video to watch, or another way that will start me on this journey 🙂

Tnx

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-09-2012 08:33 AM

Hi,

In inputs.conf (on the forwarder if you have one) you specify the sourcetype.

[monitor:///var/log/path/to/your/file/here]
index=your_index
sourcetype=your_sourcetype

in props.conf on the indexer (unless you have a Heavy Forwarder, then it's on the forwarder) you tell Splunk to extract the field names according to instructions in another file. 

[your_sourcetype]
REPORT-fields_report_blaha = my_field_extractions

in transforms.conf on the indexer (unless you have a Heavy Forwarder ...) you specify what delimitis the values in your events, and what the fields should be called.

[my_field_extractions]
DELIMS = "|"
FIELDS = log_level, thread, timestamp, srvc_type, srvc_desc, responsetime,

etc etc etc for all the fields you have in your event.

BTW, the files you want to edit/create would most likely be in /opt/splunk/etc/system/local. Never edit files in a 'default'-directory, copy it to the 'local'-directory instead, or simply create a new one with the same name. Settings in a 'local' file override settings in a 'default' file on a per-setting basis - not the complete file.

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-09-2012 08:33 AM

Hi,

In inputs.conf (on the forwarder if you have one) you specify the sourcetype.

[monitor:///var/log/path/to/your/file/here]
index=your_index
sourcetype=your_sourcetype

in props.conf on the indexer (unless you have a Heavy Forwarder, then it's on the forwarder) you tell Splunk to extract the field names according to instructions in another file. 

[your_sourcetype]
REPORT-fields_report_blaha = my_field_extractions

in transforms.conf on the indexer (unless you have a Heavy Forwarder ...) you specify what delimitis the values in your events, and what the fields should be called.

[my_field_extractions]
DELIMS = "|"
FIELDS = log_level, thread, timestamp, srvc_type, srvc_desc, responsetime,

etc etc etc for all the fields you have in your event.

BTW, the files you want to edit/create would most likely be in /opt/splunk/etc/system/local. Never edit files in a 'default'-directory, copy it to the 'local'-directory instead, or simply create a new one with the same name. Settings in a 'local' file override settings in a 'default' file on a per-setting basis - not the complete file.

Hope this helps,

Kristian

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎05-09-2012 07:59 AM

Here is the example that you are looking for. This will show you how splunk can automatically generate the regex for you to extract fields.

http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...