Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk support for XML log files written by System.Diagnostics.EventSchemaTraceListener

fruts
New Member
‎01-29-2013 04:54 AM

Hi

from our ASP.NET MVC application we write XML log files in the event schema format by a trace listener contained in the .NET framework (System.Diagnostics.EventSchemaTraceListener from System.Core dll). Pretty standard in the .NET micro-cosmos...

I'm wondering if and how Splunk can handle this kind of (standard Windows) event schema? The trick is the "correlation" between related activities. This way I can group activities and sub-activities not only from a technical perspective but also from a business perspective (e.g. to log the whole business process). This is a sample "event" where the correlation come into play:

<![CDATA[



0
8
16


LABS00026


StopLogicalActivity


Information
Transfer


]]>

(1) First the configuration questions:

Does Splunk "understand" this kind of XML format out-of-the-box?
How to configure the "Data input"?

(2) Second the Search questions:

How can we query all messages from a logical activity?
And how to query all related (sub-) activities with the "parent" correlation token?

Thanks in advance.

Kindly, Stefan

0 Karma
Reply

DaveSavage
Builder
‎01-29-2013 05:55 AM

Stefan, I haven't seen specific .net plug-ins (though clearly there is a potential following ;-), but Splunk will index your logs ok. Search xml in the splunk base for more. The following shows a few tweeks you may need to consider within the inputs. conf and props files using whitelists.
I'd be interested to see how it went...let us know.
Br
D

http://splunk-base.splunk.com/answers/7275/index-xml-log-files

0 Karma
Reply

fruts
New Member
‎01-29-2013 06:06 AM

D

Tnx. Just to make it clear: The event schema is not .NET specific at all. It's the standard Windows Event Log format. See "Event Schema (Windows)" on MSDN for instance: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385201

Stefan

0 Karma
Reply

DaveSavage
Builder
‎01-29-2013 05:57 AM

I should add - xml with the tag data makes it eminently usable within Splunk, so less issues in respect of field identification even if you have to use regexes.

0 Karma
Reply

fruts
New Member
‎01-29-2013 05:18 AM

Because the Splunkbase tool breaks the XML data, I add a screenshot of the sample event:
alt text

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...