In the splunk console, goto Manager --> Fields --> Fields --> Field extractions
Click New
Fill in the form for a new field extraction (you can use the examples I will provide below)
- Destination app: search
- Name: Enter a descriptive name for the field you are extracting here
- Apply to: host named: *
- Type: Inline
- Extraction/Transform: Enter your regex for field extraction here
Click Save
Note: If you are familiar with Splunk, you can tweak the Apply to filter to your liking.
You will now see additional fields available on the left whenever a search matches the regex pattern you entered and can start using these in graphs and reports.
Below are templates for step 3 to help get you started. These are working for me with WebLogic 10.3 logs.
- Destination app: search
- Name: BEA Info
- Apply to: host named: *
- Type: Inline
Extraction/Transform: T>\s<(?P<BEA_LOG_LEVEL>\w*)>\s<(?P<BEA_MSG_TYPE>\w*)>\s<(?P<BEA_MACHINE>\w*)>\s<(?P<BEA_SERVER>\w*)>
Destination app: search
- Name: BEA Code
- Apply to: host named: *
- Type: Inline
Extraction/Transform: <(?P<BEA_CODE>BEA-\d\d\d\d\d\d)>
Destination app: search
- Name: BEA Server State
- Apply to: host named: *
- Type: Inline
Extraction/Transform: (?P<BEA_SERVER_STATE>\w*)>
Destination app: search
- Name: Java Lang
- Apply to: host named: *
- Type: Inline
Extraction/Transform: java\.lang\.(?P<JAVA_LANG>\w*)
Destination app: search
- Name: Oracle Code
- Apply to: host named: *
- Type: Inline
- Extraction/Transform:
(?P<ORACLE_CODE>ORA-\d\d\d\d\d)
Rob
answered
20 Oct '10, 14:55
Rob Jordan
53●1●6
accept rate:
66%
