Splunk Search

extract fields in log4j files

arjangoos
Path Finder

Hi,

I want to make a timechart of the different errors in my application. To do this I need a fieldextractions.

the log4j format is like this:
10-19@09:25:45 ERROR rss.AbstractPostcodeBasedFeedPanel - Failed to load feeds from: [http://10.9.1.192/Cms.Backend/wscmsrssservice.asmx/GetBekendmakingenByPostcode?pPostcode=3071AS]
nl.rotterdam.ioo.mijnloket.homepage.util.rss.UnableToCreateSyndFeedListException: java.net.SocketTimeoutException: Read timed out

So I want the time (10-19@09:25:45) | type of message (ERROR) | the text between ERROR and - | and the text between : and : | and the text between : and :

How can I do that. The field extraction for time and type of messages is simple but can you help me with the other extractions

Kind regards

Tags (1)
0 Karma

sdaniels
Splunk Employee
Splunk Employee

Splunk will automatically recognize the standard output for log4j. Can you use the default format? From our docs:

log4j   Log4j standard output produced by any J2EE server using log4j   2005-03-07 16:44:03,110 53223013 [PoolThread-0] INFO [STDOUT] got some property...

With a non-standard format you could use the Interactive Field Extractor capabilities to easily extract fields and create the regex for you automatically

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

I would recommend taking a look at this as well for future use of log4j and Splunk: https://github.com/damiendallimore/SplunkJavaLogging

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Is ERROR and the '-' always going to be in the log?

0 Karma

arjangoos
Path Finder

At this time it is not possible to change the log4j format. So I think I need to use the interactive Field Extrator. But I am not able to get the result I want.

ERROR rss.AbstractPostcodeBasedFeedPanel -

What is the regex to get the text between ERROR and -.

Kind regards,

Arjan

0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...