Splunk Search
Highlighted

After installing Splunk and indexing logs, we updated configurations. How do we handle field extractions before and after the update?

Explorer

So we got Splunk installed and started indexing our logs before changes were put in place to better integrate with Splunk. How do you handle field extractions from the time before the update and the time after the update?

0 Karma
Highlighted

Re: After installing Splunk and indexing logs, we updated configurations. How do we handle field extractions before and after the update?

SplunkTrust
SplunkTrust

Did the sourcetype changed OR just the log format?

0 Karma
Highlighted

Re: After installing Splunk and indexing logs, we updated configurations. How do we handle field extractions before and after the update?

Explorer

just the log format

0 Karma
Highlighted

Re: After installing Splunk and indexing logs, we updated configurations. How do we handle field extractions before and after the update?

SplunkTrust
SplunkTrust

We went through the same issue when we upgraded ATG and our Tomcat servers, the logging format changed which broke some of our fields, especially the JSESSION field. I ended up modifying the regular expression in each field to account for the old logging style and the new logging style, I used a | as an OR in the regex and put the new logging style first and the old logging style second to boost performance since I'll almost always be searching the new stuff first. I then tested the regex's performance and it was insignificant so I went this route and it's been working good for the past 6 months

Another approach is to create a new sourcetype and re-create your fields based on that new sourcetype. This will take longer and will require you to update the query in any dashboards, alerts, and anything else which used that field.

0 Karma