Splunk Search

After installing Splunk and indexing logs, we updated configurations. How do we handle field extractions before and after the update?

danoconnl
Explorer

So we got Splunk installed and started indexing our logs before changes were put in place to better integrate with Splunk. How do you handle field extractions from the time before the update and the time after the update?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

We went through the same issue when we upgraded ATG and our Tomcat servers, the logging format changed which broke some of our fields, especially the JSESSION field. I ended up modifying the regular expression in each field to account for the old logging style and the new logging style, I used a | as an OR in the regex and put the new logging style first and the old logging style second to boost performance since I'll almost always be searching the new stuff first. I then tested the regex's performance and it was insignificant so I went this route and it's been working good for the past 6 months

Another approach is to create a new sourcetype and re-create your fields based on that new sourcetype. This will take longer and will require you to update the query in any dashboards, alerts, and anything else which used that field.

0 Karma

somesoni2
Revered Legend

Did the sourcetype changed OR just the log format?

0 Karma

danoconnl
Explorer

just the log format

0 Karma