Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure '.out' files in inputs.conf?

pavanae
Builder
‎08-10-2015 11:58 AM

Till now in our environment we have monitored only the log files which are in '.log' format in the Universal Forwarder Server as follows :-

In inputs.conf :

[monitor:/Home_DB/Oracle/webcenter/logs/sites.log]
index = cms_clb
sourcetype = log4j

[monitor:/Home_DB/Oracle/webcenter/logs/cas.log]
index = cms_clb
sourcetype = log4j

Now as a part of the security requirement, we need to monitor a few more log files from the path /Home_DB/Oracle/Middleware/user_projects/domains/webcenter/servers/webcenter-delivery1/logs/webcenter-delivery1.out, but here the logs were in .out format. How do I add this path in inputs.conf and if added, what would be the source type for .out format?
Please help me out ASAP.

Thanks in Advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-10-2015 12:31 PM

You'll need to examine the .out files or consult with dev/tech support to learn the source type. Then add a new stanza to your inputs.conf file.

[monitor:/Home_DB/Oracle/Middleware/user_projects/domains/webcenter/servers/webcenter-delivery1/logs/webcenter-delivery1.out]
 index = cms_clb
 sourcetype = foo

You may then need to modify props.conf to tell Splunk how to process the sourcetype.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-10-2015 12:31 PM

You'll need to examine the .out files or consult with dev/tech support to learn the source type. Then add a new stanza to your inputs.conf file.

[monitor:/Home_DB/Oracle/Middleware/user_projects/domains/webcenter/servers/webcenter-delivery1/logs/webcenter-delivery1.out]
 index = cms_clb
 sourcetype = foo

You may then need to modify props.conf to tell Splunk how to process the sourcetype.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

pavanae
Builder
‎08-10-2015 01:05 PM

Jul 09, 2015 3:28:44 PM net.sf.ehcache.CacheManager addShutdownHookIfRequired
INFO: The CacheManager shutdown hook is enabled because net.sf.ehcache.enableShutdownHook is set to true.
Jul 09, 2015 3:28:44 PM net.sf.ehcache.CacheManager addShutdownHookIfRequired
INFO: The CacheManager shutdown hook is enabled because net.sf.ehcache.enableShutdownHook is set to true.
Jul 09, 2015 3:28:44 PM net.sf.ehcache.Cache createDiskStore
INFO: **** Running custom ehcache jar using numOfDiskStores=10
Jul 09, 2015 3:28:45 PM com.sun.jersey.server.impl.application.WebApplicationImpl initiate
INFO: Initiating Jersey application, version 'Jersey: 1.1.4.1 11/24/2009 01:30 AM'
Oracle WebCenter Sites 11gR1 11.1.1.8.0
Copyright (c) 2011,2013, Oracle and/or its affiliates. All Rights Reserved.

Oracle WebCenter Sites 11.1.1.8.0 Build Date: Jul 11 2014 at 15:16:48 Build Number: 35 Revision:165274

Jul 09, 2015 3:28:46 PM net.sf.ehcache.CacheManager addShutdownHookIfRequired
INFO: The CacheManager shutdown hook is enabled because net.sf.ehcache.enableShutdownHook is set to true.
Oracle WebCenter Sites 11gR1 11.1.1.8.0
Copyright (c) 2011,2013, Oracle and/or its affiliates. All Rights Reserved.

Oracle WebCenter Sites |Satellite Server 11.1.1.8.0 Build Date: Jul 11 2014 at 15:16:48 Build Number: 35 Revision:165274

Oracle WebCenter Sites 11gR1 11.1.1.8.0
Copyright (c) 2011,2013, Oracle and/or its affiliates. All Rights Reserved.

Oracle WebCenter Sites |Satellite Server 11.1.1.8.0 Build Date: Jul 11 2014 at 15:16:48 Build Number: 35 Revision:165274

Oracle WebCenter Sites 11gR1 11.1.1.8.0
Copyright (c) 2011,2013, Oracle and/or its affiliates. All Rights Reserved.

Oracle WebCenter Sites |Satellite Server 11.1.1.8.0 Build Date: Jul 11 2014 at 15:16:48 Build Number: 35 Revision:165274

2015-07-09 15:28:51,881 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -

GMS: address is 10.100.236.92:38365

2015-07-09 15:28:54,639 INFO [org.jasig.cas.util.AutowiringSchedulerFactoryBean] -
2015-07-09 15:28:55,376 INFO [org.jasig.cas.web.flow.AuthenticationViaFormAction] -
Jul 09, 2015 3:28:55 PM com.sun.jersey.spi.spring.container.servlet.SpringServlet getContext
INFO: Using default applicationContext
Jul 09, 2015 3:28:55 PM com.sun.jersey.spi.spring.container.SpringComponentProviderFactory register
INFO: Registering Spring bean, TicketResource, of type com.fatwire.wem.sso.cas.integration.rest.TicketResource as a root resource class
Jul 09, 2015 3:28:55 PM com.sun.jersey.spi.spring.container.SpringComponentProviderFactory register
INFO: Registering Spring bean, TicketGrantingTicketResource, of type com.fatwire.wem.sso.cas.integration.rest.TicketGrantingTicketResource as a root resource class
Jul 09, 2015 3:28:55 PM com.sun.jersey.server.impl.application.WebApplicationImpl initiate
INFO: Initiating Jersey application, version 'Jersey: 1.1.4.1 11/24/2009 01:30 AM'

2015-07-09 15:29:14,586 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
2015-07-09 15:29:14,611 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 found to be removed. Removing now.>
2015-07-09 15:29:14,611 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
Initializing MDCLoggingContext
Initializing MDCLoggingContext
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /AE/Oracle/Middleware/user_projects/domains/webcenter/ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi/ESAPI.properties
Not found in 'user.home' (/home/weblogic) directory: /home/weblogic/esapi/ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /AE/Oracle/Middleware/user_projects/domains/webcenter/validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties
Not found in 'user.home' (/home/weblogic) directory: /home/weblogic/esapi/validation.properties
Loading validation.properties via file I/O failed.
Attempting to load validation.properties via the classpath.
SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
Attempting to load antisamy-esapi.xml as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /AE/Oracle/Middleware/user_projects/domains/webcenter/antisamy-esapi.xml
Not found in SystemResource Directory/resourceDirectory: .esapi/antisamy-esapi.xml
Not found in 'user.home' (/home/weblogic) directory: /home/weblogic/esapi/antisamy-esapi.xml
2015-07-09 15:30:54,587 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:30:54,588 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:32:54,580 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:32:54,580 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:34:54,580 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -
2015-07-09 15:34:54,581 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] -

2015-07-09 15:35:56,608 INFO [org.jasig.cas.util.AutowiringSchedulerFactoryBean] -
2015-07-09 15:35:56,611 INFO [org.jasig.cas.util.JBossCacheFactoryBean] -
log4j:WARN No appenders could be found for logger (com.fatwire.logging.cs.cache.ehcache).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

0 Karma
Reply
Solved! Jump to solution

pavanae
Builder
‎08-10-2015 01:07 PM

This is the .out file I tried to examine the file but i didn't able to understand anything. Please examine this and tell me what format should be given to the inputs.conf for .out files like this.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-10-2015 01:15 PM

That's quite a collection of styles. I suggest indexing it as plain text. Splunk will interpret most of the timestamps and assign timestamps to those lines that don't have one.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...