Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Parsing Redis logs

marksnelling
Communicator
‎02-27-2012 02:43 AM

Hi,
I'm having trouble getting my Redis logs parsed correctly by Splunk, it gets the timestamps messed up.
I have the following stanzas in my indexer props.conf

[source::.../redis/redis.log(.\d+(.gz)?)?]
sourcetype=redis

[redis]
NO_BINARY_CHECK=1
TIME_PREFIX=[\d+]\s+
TIME_FORMAT=%d %b %H:%M:%S

The log filenames are in the format


/var/log/redis/redis.log
/var/log/redis/redis.log.1
/var/log/redis/redis.log.2.gz
...


The problem seems to be that the indexer doesn't want to apply the correct sourcetype to the logs, instead it uses redis.log-too_small and redis-too_small.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎02-27-2012 06:50 AM

I would try the following (not sure whether the editor here is omitting YOUR backslashes but please note the backslashes in TIME_PREFIX):

On the Universal Forwarder:

[source::.../redis/redis.log*]
sourcetype = redis

On the Indexer:

[redis]
NO_BINARY_CHECK = 1
TIME_PREFIX = \[\d+\]\s+
TIME_FORMAT = %d %b %H:%M:%S

OR

On the Indexer ONLY:

[source::.../redis/redis.log*]
sourcetype = redis
NO_BINARY_CHECK = 1
TIME_PREFIX = \[\d+\]\s+
TIME_FORMAT = %d %b %H:%M:%S

View solution in original post

Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎02-27-2012 06:50 AM

I would try the following (not sure whether the editor here is omitting YOUR backslashes but please note the backslashes in TIME_PREFIX):

On the Universal Forwarder:

[source::.../redis/redis.log*]
sourcetype = redis

On the Indexer:

[redis]
NO_BINARY_CHECK = 1
TIME_PREFIX = \[\d+\]\s+
TIME_FORMAT = %d %b %H:%M:%S

OR

On the Indexer ONLY:

[source::.../redis/redis.log*]
sourcetype = redis
NO_BINARY_CHECK = 1
TIME_PREFIX = \[\d+\]\s+
TIME_FORMAT = %d %b %H:%M:%S

Reply
Solved! Jump to solution

marksnelling
Communicator
‎02-28-2012 02:00 AM

Thanks, the first option worked.
the editor was removing the back-slashes in my post.

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎02-27-2012 06:25 AM

Can you please post a few sample lines of your Redis log(s)?
Also, check the source stanza as it looks like you may need to escape the periods and the \d (digits). It is very likely that this is the problem - where logs are not being assigned sourcetype=redis and therefore the timestamps are not being extracted properly. Run a quick test with this and see if data comes in with correct timestamps:

[source::.../redis/redis.log*]

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

0 Karma
Reply
Solved! Jump to solution

marksnelling
Communicator
‎02-27-2012 06:33 AM

I've tried both escaping and raw periods in this stanza with no effect. I should also add that the Redis data is coming from a Universal Forwarder.

Here's a sample of the Redis logs...

[3223] 26 Feb 23:59:01 * Background append only file rewriting started by pid 19383
[19383] 26 Feb 23:59:01 * SYNC append only file rewrite performed
[3223] 26 Feb 23:59:01 * Background append only file rewriting terminated with success
rewritten.
[3223] 26 Feb 23:59:01 * The new append only file was selected for future appends.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...