I want to extract fields from WebLogic logs to use in reports.
It looks like somebody has already done the work, over at Splunkbase.com:
http://splunkbase.splunk.com/apps/All/3.x/app:WebLogic+Event+Types
and
http://splunkbase.splunk.com/apps/All/3.x/app:WebLogic+Access
In the splunk console, goto Manager --> Fields --> Fields --> Field extractions
Click New
Fill in the form for a new field extraction (you can use the examples I will provide below)
Click Save
Note: If you are familiar with Splunk, you can tweak the Apply to filter to your liking.
You will now see additional fields available on the left whenever a search matches the regex pattern you entered and can start using these in graphs and reports.
Below are templates for step 3 to help get you started. These are working for me with WebLogic 10.3 logs.
Extraction/Transform: T>\s<(?P<BEA_LOG_LEVEL>\w*)>\s<(?P<BEA_MSG_TYPE>\w*)>\s<(?P<BEA_MACHINE>\w*)>\s<(?P<BEA_SERVER>\w*)>
Destination app: search
Extraction/Transform: <(?P<BEA_CODE>BEA-\d\d\d\d\d\d)>
Destination app: search
Extraction/Transform: (?P<BEA_SERVER_STATE>\w*)>
Destination app: search
Extraction/Transform: java\.lang\.(?P<JAVA_LANG>\w*)
Destination app: search
(?P<ORACLE_CODE>ORA-\d\d\d\d\d)
Rob