Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

extract fields in log4j files

arjangoos
Path Finder
‎10-19-2012 05:54 AM

Hi,

I want to make a timechart of the different errors in my application. To do this I need a fieldextractions.

the log4j format is like this:
10-19@09:25:45 ERROR rss.AbstractPostcodeBasedFeedPanel - Failed to load feeds from: [http://10.9.1.192/Cms.Backend/wscmsrssservice.asmx/GetBekendmakingenByPostcode?pPostcode=3071AS]
nl.rotterdam.ioo.mijnloket.homepage.util.rss.UnableToCreateSyndFeedListException: java.net.SocketTimeoutException: Read timed out

So I want the time (10-19@09:25:45) | type of message (ERROR) | the text between ERROR and - | and the text between : and : | and the text between : and :

How can I do that. The field extraction for time and type of messages is simple but can you help me with the other extractions

Kind regards

Tags (1)
0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-19-2012 06:31 AM

Splunk will automatically recognize the standard output for log4j. Can you use the default format? From our docs:

log4j   Log4j standard output produced by any J2EE server using log4j   2005-03-07 16:44:03,110 53223013 [PoolThread-0] INFO [STDOUT] got some property...

With a non-standard format you could use the Interactive Field Extractor capabilities to easily extract fields and create the regex for you automatically

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

I would recommend taking a look at this as well for future use of log4j and Splunk: https://github.com/damiendallimore/SplunkJavaLogging

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-22-2012 04:00 AM

Is ERROR and the '-' always going to be in the log?

0 Karma
Reply

arjangoos
Path Finder
‎10-22-2012 02:15 AM

At this time it is not possible to change the log4j format. So I think I need to use the interactive Field Extrator. But I am not able to get the result I want.

ERROR rss.AbstractPostcodeBasedFeedPanel -

What is the regex to get the text between ERROR and -.

Kind regards,

Arjan

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...