Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I report on all of those thousands of BEA- messages in our weblogic logs?

Rob_Jordan
Explorer
‎05-18-2010 01:49 PM

How can I report on all of those thousands of BEA- messages in our weblogic logs?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Rob_Jordan
Explorer
‎05-18-2010 01:50 PM

These searches will extract BEA- messages from the logs and report by message number

Example of a BEA Message:

####<Jan 1, 2009 2:34:07 PM CDT> <Error> <WebLogicServer> <hostname> <managedserver> <[ACTIVE] ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1273606447204> <BEA-000337> <[STUCK] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)' has been busy for "715" seconds working on the request

Use a regular expression to extract a custom field called BEA_MSG_NO

"<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|stats count by BEA_MSG_NO

"<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|timechart count by BEA_MSG_NO

"<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|top BEA_MSG_NO limit=10000

NOTE: if you prefix your search with the sourcetype for your weblogic logs, your results should come back much faster.

sourcetype="*weblogic.out*" "<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|stats count by BEA_MSG_NO

sourcetype="*weblogic.out*" "<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|timechart count by BEA_MSG_NO

sourcetype="*weblogic.out*" "<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|top BEA_MSG_NO limit=10000

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Rob_Jordan
Explorer
‎05-18-2010 01:50 PM

These searches will extract BEA- messages from the logs and report by message number

Example of a BEA Message:

####<Jan 1, 2009 2:34:07 PM CDT> <Error> <WebLogicServer> <hostname> <managedserver> <[ACTIVE] ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1273606447204> <BEA-000337> <[STUCK] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)' has been busy for "715" seconds working on the request

Use a regular expression to extract a custom field called BEA_MSG_NO

"<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|stats count by BEA_MSG_NO

"<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|timechart count by BEA_MSG_NO

"<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|top BEA_MSG_NO limit=10000

NOTE: if you prefix your search with the sourcetype for your weblogic logs, your results should come back much faster.

sourcetype="*weblogic.out*" "<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|stats count by BEA_MSG_NO

sourcetype="*weblogic.out*" "<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|timechart count by BEA_MSG_NO

sourcetype="*weblogic.out*" "<BEA-"|rex field=_raw "(?<BEA_MSG_NO>BEA-\d\d\d\d\d\d)"|top BEA_MSG_NO limit=10000
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...