Splunk Search

extract fields in log4j files

arjangoos
Path Finder

Hi,

I want to make a timechart of the different errors in my application. To do this I need a fieldextractions.

the log4j format is like this:
10-19@09:25:45 ERROR rss.AbstractPostcodeBasedFeedPanel - Failed to load feeds from: [http://10.9.1.192/Cms.Backend/wscmsrssservice.asmx/GetBekendmakingenByPostcode?pPostcode=3071AS]
nl.rotterdam.ioo.mijnloket.homepage.util.rss.UnableToCreateSyndFeedListException: java.net.SocketTimeoutException: Read timed out

So I want the time (10-19@09:25:45) | type of message (ERROR) | the text between ERROR and - | and the text between : and : | and the text between : and :

How can I do that. The field extraction for time and type of messages is simple but can you help me with the other extractions

Kind regards

Tags (1)
0 Karma

sdaniels
Splunk Employee
Splunk Employee

Splunk will automatically recognize the standard output for log4j. Can you use the default format? From our docs:

log4j   Log4j standard output produced by any J2EE server using log4j   2005-03-07 16:44:03,110 53223013 [PoolThread-0] INFO [STDOUT] got some property...

With a non-standard format you could use the Interactive Field Extractor capabilities to easily extract fields and create the regex for you automatically

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

I would recommend taking a look at this as well for future use of log4j and Splunk: https://github.com/damiendallimore/SplunkJavaLogging

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Is ERROR and the '-' always going to be in the log?

0 Karma

arjangoos
Path Finder

At this time it is not possible to change the log4j format. So I think I need to use the interactive Field Extrator. But I am not able to get the result I want.

ERROR rss.AbstractPostcodeBasedFeedPanel -

What is the regex to get the text between ERROR and -.

Kind regards,

Arjan

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...