HOw to import ODL files

kp_pl · ‎03-13-2024

Is Oracle Diagnostic Logging ( ODL) format supported in any way by Splunk ?
On the forum I have found only one topic regarding it but it had been written 8 years ago ?
This format, I read and analyze every day, is used by SOA and OSB diagnostic logs. It is, more or less, like csv structure but instead of tab/space/comma, each value is pakced into brakets

Below example with the short descrption

[2010-09-23T10:54:00.206-07:00] [soa_server1] [NOTIFICATION] [] [oracle.mds]
[tid: [STANDBY].ExecuteThread: '1' for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: <anonymous>] [ecid: 0000I3K7DCnAhKB5JZ4Eyf19wAgN000001,0]
[APP: wsm-pm] "Metadata Services: Metadata archive (MAR) not found."

Timestamp, originating: 2010-09-23T10:54:00.206-07:00

Organization ID: soa_server1

Message Type: NOTIFICATION

Component ID: oracle.mds

Thread ID: tid: [STANDBY].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'

User ID: userId: <anonymous>

Execution Context ID: ecid: 0000I3K7DCnAhKB5JZ4Eyf19wAgN000001,0

Supplemental Attribute: APP: wsm-pm

Message Text: "Metadata Services: Metadata archive (MAR) not found."

Any solution, hints how to manage it in Splunk ?

regards
KP.

ITWhisperer · ‎03-13-2024

You can parse this event with rex

https://regex101.com/r/eUputR/1

However, this assumes you have an empty / not required field for the 4th bracket pair, and that you don't have further nesting of bracketed sub-strings in the Thread ID

kp_pl · ‎03-14-2024

ITWhisperer - thanks for your answer - fits perfect!

Is the creation of own source-type difficult - any hints, tutorials about it ?

KP

HOw to import ODL files

sourcetype

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud