Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

1st report - breaking out fields, etc

lancealotx
Explorer
‎05-09-2012 07:52 AM

ok, I have my data flowing in hourly and pleased with how it's going. I now want to get into some reporting, etc. I am looking at a specific logfile that get's written, a sample string looks like this;

"INFO"|"httpSSLWorkerThread-8080-13"|"2012-05-09 09:59:59.584 EDT"|"ServiceType"|"ServiceDesc"|"20"|"0"|"76.123.70.236"|"84e778ae-fe8e-4b8f-8d33-6bc88967a2b1"|"bdae358a67b051cf0daqwdqwdwqd1ad"|"1"|"-1"|""|""|"36"|""|""|""|""|""|""|""|""|""

So, right now I simply want to run a daily report that shows the amount of traffic/events, and use the bold "20" in the above example as a value to graph (which is the response time). I'm sure the response I get will answer a lot of future questions which will be similar, the string is always the same so I am just assuming I need to define that string, name the fields what they are, etc.

is there a simple video to watch, or another way that will start me on this journey 🙂

Tnx

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-09-2012 08:33 AM

Hi,

In inputs.conf (on the forwarder if you have one) you specify the sourcetype.

[monitor:///var/log/path/to/your/file/here]
index=your_index
sourcetype=your_sourcetype

in props.conf on the indexer (unless you have a Heavy Forwarder, then it's on the forwarder) you tell Splunk to extract the field names according to instructions in another file. 

[your_sourcetype]
REPORT-fields_report_blaha = my_field_extractions

in transforms.conf on the indexer (unless you have a Heavy Forwarder ...) you specify what delimitis the values in your events, and what the fields should be called.

[my_field_extractions]
DELIMS = "|"
FIELDS = log_level, thread, timestamp, srvc_type, srvc_desc, responsetime,

etc etc etc for all the fields you have in your event.

BTW, the files you want to edit/create would most likely be in /opt/splunk/etc/system/local. Never edit files in a 'default'-directory, copy it to the 'local'-directory instead, or simply create a new one with the same name. Settings in a 'local' file override settings in a 'default' file on a per-setting basis - not the complete file.

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-09-2012 08:33 AM

Hi,

In inputs.conf (on the forwarder if you have one) you specify the sourcetype.

[monitor:///var/log/path/to/your/file/here]
index=your_index
sourcetype=your_sourcetype

in props.conf on the indexer (unless you have a Heavy Forwarder, then it's on the forwarder) you tell Splunk to extract the field names according to instructions in another file. 

[your_sourcetype]
REPORT-fields_report_blaha = my_field_extractions

in transforms.conf on the indexer (unless you have a Heavy Forwarder ...) you specify what delimitis the values in your events, and what the fields should be called.

[my_field_extractions]
DELIMS = "|"
FIELDS = log_level, thread, timestamp, srvc_type, srvc_desc, responsetime,

etc etc etc for all the fields you have in your event.

BTW, the files you want to edit/create would most likely be in /opt/splunk/etc/system/local. Never edit files in a 'default'-directory, copy it to the 'local'-directory instead, or simply create a new one with the same name. Settings in a 'local' file override settings in a 'default' file on a per-setting basis - not the complete file.

Hope this helps,

Kristian

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎05-09-2012 07:59 AM

Here is the example that you are looking for. This will show you how splunk can automatically generate the regex for you to extract fields.

http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...