Solved: Re: 1st report - breaking out fields, etc

lancealotx · ‎05-09-2012

ok, I have my data flowing in hourly and pleased with how it's going. I now want to get into some reporting, etc. I am looking at a specific logfile that get's written, a sample string looks like this;

"INFO"|"httpSSLWorkerThread-8080-13"|"2012-05-09 09:59:59.584 EDT"|"ServiceType"|"ServiceDesc"|"20"|"0"|"76.123.70.236"|"84e778ae-fe8e-4b8f-8d33-6bc88967a2b1"|"bdae358a67b051cf0daqwdqwdwqd1ad"|"1"|"-1"|""|""|"36"|""|""|""|""|""|""|""|""|""

So, right now I simply want to run a daily report that shows the amount of traffic/events, and use the bold "20" in the above example as a value to graph (which is the response time). I'm sure the response I get will answer a lot of future questions which will be similar, the string is always the same so I am just assuming I need to define that string, name the fields what they are, etc.

is there a simple video to watch, or another way that will start me on this journey 🙂

Tnx

kristian_kolb · ‎05-09-2012

Hi,

In inputs.conf (on the forwarder if you have one) you specify the sourcetype.

[monitor:///var/log/path/to/your/file/here]
index=your_index
sourcetype=your_sourcetype

in props.conf on the indexer (unless you have a Heavy Forwarder, then it's on the forwarder) you tell Splunk to extract the field names according to instructions in another file.

[your_sourcetype]
REPORT-fields_report_blaha = my_field_extractions

in transforms.conf on the indexer (unless you have a Heavy Forwarder ...) you specify what delimitis the values in your events, and what the fields should be called.

[my_field_extractions]
DELIMS = "|"
FIELDS = log_level, thread, timestamp, srvc_type, srvc_desc, responsetime,

etc etc etc for all the fields you have in your event.

BTW, the files you want to edit/create would most likely be in /opt/splunk/etc/system/local. Never edit files in a 'default'-directory, copy it to the 'local'-directory instead, or simply create a new one with the same name. Settings in a 'local' file override settings in a 'default' file on a per-setting basis - not the complete file.

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎05-09-2012

Hi,

In inputs.conf (on the forwarder if you have one) you specify the sourcetype.

[monitor:///var/log/path/to/your/file/here]
index=your_index
sourcetype=your_sourcetype

in props.conf on the indexer (unless you have a Heavy Forwarder, then it's on the forwarder) you tell Splunk to extract the field names according to instructions in another file.

[your_sourcetype]
REPORT-fields_report_blaha = my_field_extractions

in transforms.conf on the indexer (unless you have a Heavy Forwarder ...) you specify what delimitis the values in your events, and what the fields should be called.

[my_field_extractions]
DELIMS = "|"
FIELDS = log_level, thread, timestamp, srvc_type, srvc_desc, responsetime,

etc etc etc for all the fields you have in your event.

BTW, the files you want to edit/create would most likely be in /opt/splunk/etc/system/local. Never edit files in a 'default'-directory, copy it to the 'local'-directory instead, or simply create a new one with the same name. Settings in a 'local' file override settings in a 'default' file on a per-setting basis - not the complete file.

Hope this helps,

Kristian

sdaniels · ‎05-09-2012

Here is the example that you are looking for. This will show you how splunk can automatically generate the regex for you to extract fields.

http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample

1st report - breaking out fields, etc

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases