Hi all. I am new to using splunk. I am trying to be able to extract data from a log for the last 15 minutes.
I try to generate the alert, every time an implementation of "Weblogic AdminServer" is made on the different hosts we have with splunk
I would need to know who made it, host, application and cluster. I used raw to extract it but it didn't work
index=wls sourcetype=wls_adminserver
host=EWL1522
user=<torrelia>
app= consumer
cluster=homo3.8_cl1
####<Jul 24, 2020, 4:27:27,117 PM ART> <Info> <J2EE Deployment SPI> <EWL1522> <AdminServer> <[ACTIVE] ExecuteThread: '48' for queue: 'weblogic.kernel.Default (self-tuning)'> <torrelia> <> <4e1f868c-178a-4316-8cc0-a631e22c8aee-0014f65f> <1595618847117> <[severity-value: 64] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-260121> <Initiating start operation for application,consumer#1.0 [archive: null], to homo3.8_cl1 .>
anyone who can help me
thanks.
You can use the rex command to extract those fields.
index=wls sourcetype=wls_adminserver
| rex "(\<[^>]+> ){3}\<(?<Host>[^>]+)"
| rex "(\<[^>]+> ){6}\<(?<user>[^>]+)"
| rex "application,(?<app>[^#]+)"
| rex ", to (?<cluster>[\S]+)"
Thanks for answering
The problem is that the information I need does not reach me in the alert. The mail arrives like this
host | count |
EWL1522 | 1 |
I had done something like that
Could you somehow email me only that information splunk
_raw | _time | host | index | linecount | source | sourcetype | splunk_server |
####<Jul 24, 2020, 4:27:27,117 PM ART> <Info> <J2EE Deployment SPI> <EWL1522> <AdminServer> <[ACTIVE] ExecuteThread: '48' for queue: 'weblogic.kernel.Default (self-tuning)'> <torrelia> <> <4e1f868c-178a-4316-8cc0-a631e22c8aee-0014f65f> <1595618847117> <[severity-value: 64] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-260121> <Initiating start operation for application, consumer#1.0 [archive: null], to homo3.8_cl1 .> | Fri Jul 24 16:27:27 2020 | EWL1522 | wls | 1 | /u03/oracle/logs/domains/homo3_domain8/AdminServer_yyyy-MM-dd.log | wls_adminserver | EWL1522 |
Thanks, use part of the query you sent.
index=wls sourcetype=wls_adminserver
| rex "(\<[^>]+> ){3}\<(?<AdminServer>[^>]+)"
| rex "(\<[^>]+> ){6}\<(?<User>[^>]+)"
| rex "application,(?<App>[^#]+)"
| rex ", to (?<Cluster>[\S]+)"
| stats count by AdminServer, _time, User, App, Cluster | where count > 2
Thanks
Hmm.. You should be receiving count, AdminServer, _time, User, App, and Cluster information in your alert emails. Seeing just host and count would imply the stats command is only using those two fields, but that's not the case.