Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

extract fields in log4j files

arjangoos
Path Finder
‎10-19-2012 05:54 AM

Hi,

I want to make a timechart of the different errors in my application. To do this I need a fieldextractions.

the log4j format is like this:
10-19@09:25:45 ERROR rss.AbstractPostcodeBasedFeedPanel - Failed to load feeds from: [http://10.9.1.192/Cms.Backend/wscmsrssservice.asmx/GetBekendmakingenByPostcode?pPostcode=3071AS]
nl.rotterdam.ioo.mijnloket.homepage.util.rss.UnableToCreateSyndFeedListException: java.net.SocketTimeoutException: Read timed out

So I want the time (10-19@09:25:45) | type of message (ERROR) | the text between ERROR and - | and the text between : and : | and the text between : and :

How can I do that. The field extraction for time and type of messages is simple but can you help me with the other extractions

Kind regards

Tags (1)
0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-19-2012 06:31 AM

Splunk will automatically recognize the standard output for log4j. Can you use the default format? From our docs:

log4j   Log4j standard output produced by any J2EE server using log4j   2005-03-07 16:44:03,110 53223013 [PoolThread-0] INFO [STDOUT] got some property...

With a non-standard format you could use the Interactive Field Extractor capabilities to easily extract fields and create the regex for you automatically

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

I would recommend taking a look at this as well for future use of log4j and Splunk: https://github.com/damiendallimore/SplunkJavaLogging

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-22-2012 04:00 AM

Is ERROR and the '-' always going to be in the log?

0 Karma
Reply

arjangoos
Path Finder
‎10-22-2012 02:15 AM

At this time it is not possible to change the log4j format. So I think I need to use the interactive Field Extrator. But I am not able to get the result I want.

ERROR rss.AbstractPostcodeBasedFeedPanel -

What is the regex to get the text between ERROR and -.

Kind regards,

Arjan

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...