Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Software application best practice for logging sets of tuples for Splunk

gregbujak
Path Finder
‎10-30-2013 03:46 PM

When you have control of the logging in an application, what is the recommendation to make things as easy as possible for Splunk to digest/report on sets of tuples?

What should the log event(s) look like and then what would the search look like if you want to know each individual type and count.

Specific example: I have a dynamically generated set containing types and counts - myset={(widgetA | 100), (widgetB | 200), (widgetC | 5)}

Short of printing each on a separate line, whats the simplest approach? Is the above a good format?

Having semantic logging that is expressed in key value pairs separated by "=" is bread and butter. The issue here is sets and dynamic membership where the "schema" of the tuple is defined by {(type, count)}. To make this more difficult, but no less relevant: imagine if your tuple was defined by {(type, count, successes, failures)}

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jtrucks
Splunk Employee
Splunk Employee
‎10-30-2013 04:23 PM

all key=value pair formats are auto extracted, so perhaps try:

widgetA=100 widgetB=200 widgetC=5

You could even have other fields that identify the app like:

appname=myappnamehere widgetA=100 widgetB=200 widgetC=5

Enjoy!

--
Jesse Trucks
Minister of Magic

View solution in original post

Reply
Solved! Jump to solution
Solution

jtrucks
Splunk Employee
Splunk Employee
‎10-30-2013 04:23 PM

all key=value pair formats are auto extracted, so perhaps try:

widgetA=100 widgetB=200 widgetC=5

You could even have other fields that identify the app like:

appname=myappnamehere widgetA=100 widgetB=200 widgetC=5

Enjoy!

--
Jesse Trucks
Minister of Magic
Reply
Solved! Jump to solution

gregbujak
Path Finder
‎10-30-2013 06:41 PM

Gents, thx for the response(s). There is actually some nuance to this that I don't think was communicated well. I have modified the question to reflect that.

0 Karma
Reply
Solved! Jump to solution

emiller42
Motivator
‎10-30-2013 04:26 PM

Some added details: If the thing separating your pairs (in the above, the space and equals characters) could occur in your values, then quote them.

key=some_value key2="Some value" key3=12345 key4="prop1=foo prop2=bar"

Something like that will auto-extract very well with splunk, and you end up with:

key = some_value
key2 = Some value
key3 = 12345
key4 = prop1=foo prop2=bar
prop1 = foo
prop2 = bar
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...