Hello @mitag,
I think you mean a CIM parser for log4j logs, not a CIM, because CIM organized by domain of interest (like Changes, Authentication, etc.) and not by logging method (syslog, log4j, sql, etc.).
A general parser configuration for log4j logs could look like this:
props.conf:
[your_log_sourcetype]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TIME_PREFIX = ^
LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d
then you have to identifiy a particular CIM to map. In your case the events contain some network exceptions - there are no matching CIMs for this. Check these links for more information:
https://docs.splunk.com/Documentation/CIM/4.15.0/User/Overview
https://docs.splunk.com/Documentation/CIM/4.15.0/User/Howtousethesereferencetables
Good luck!
... View more