Splunk Search

PHP_error auto extraction not working

BWRic
New Member

Hello,

I have set up two servers forwarding php error logs to Splunk. The souretype is set to log4php but the field auto extraction is not working.

These are what Splunk gives me:

# date_hour 2
# date_mday 1
# date_minute 2
a date_month 1
# date_second 3
a date_wday 1
# date_year 1
a date_zone 2
a index 1
# linecount 2
a punct 3
a splunk_server 1
# timeendpos 2
# timestartpos 2

Both servers have a slightly different log format:

Server 1

[13-Aug-2015 10:16:40 UTC] PHP Notice:  Use of undefined constant gdfgdg - assumed 'gdfgdg' in /srv/users/serverpilot/apps/gibhershop2/public/test.php on line 6

Server 2

[Thu Aug 13 11:36:09.160891 2015] [:error] [pid 1823] [client 141.101.98.217:23987] PHP Parse error: syntax error, unexpected '!' in /var/www/gsysmp/err.php on line 3

Edit
The fields I want are:

Server 1

PHP error type, in the example that's PHP Notice, but could be PHP Error: etc.
The actual error message, in the example Use of undefined constant gdfgdg - assumed 'gdfgdg' - so that's from the ':' of the error type up to 'in /path....'
The error location, so the path and line number: /srv/users/serverpilot/apps/gibhershop2/public/test.php on line 6

Server 2

PHP error type: [:error], again this might have other values such as warning or notice.
Error message: PHP Parse error: syntax error, unexpected '!'
Error location: /var/www/gsysmp/err.php on line 3


Am I doing something wrong? Does anyone have some good searches set up for dealing with this type of log if Splunk doesn't auto extract the fields well?

Thanks

Ric

0 Karma

woodcock
Esteemed Legend

OK, try this:

... | rex ".*\](?<PHP_Error_Type>[^:]+):\s*(?<PHP_Error_Message>.*)\s+in\s+(?<PHP_Error_Location>.*)"
0 Karma

s2_splunk
Splunk Employee
Splunk Employee

PHP error logs are not part of the pre-trained sourcetypes, per this documentation.
Fields will only be auto-extracted for self-describing log formats, like key=value, json or XML, for example.

If you want fields extracted, you will have to configure field extraction for each of the log formats you will see from your servers. You could create two sourcetypes (php_error_fmt1, php_error_fmt2) and then just search for sourcetype=php_error_fmt* to search across both formats.

You can create your field extractions either via configuration files, or by using the interactive field extractor in the UI.

0 Karma

woodcock
Esteemed Legend

If you will explain in each of these logs what fields are supposed to be created where, I will show you a command string that creates them.

0 Karma

BWRic
New Member

@woodcock, thanks, I have updated my answer with the fields I'd like

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...