Parse Log Messages

mspiegel · ‎10-01-2010

I'm sending a series of events to Splunk with their own time stamp and username info that I built independently of Splunk. Is there any way to run or build a custom report such that I can use the data that I passed in as parameters, instead of only being able to choose from the parameters defined by Splunk?

southeringtonp · ‎10-01-2010

What do you mean by "parameters defined by Splunk"?

Are you just trying to extract new fields?
http://www.splunk.com/base/Documentation/latest/User/ExtractNewFields

http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

southeringtonp · ‎10-05-2010

Splunk is pretty good about picking up on timestamps out-of-the box. Usually if it doesn't see it, that means the timestamp is in a nonstandard format, or there's something else earlier in the message that looks like a timestamp. Also, there's a limit to how far into an event Splunk will look by default. If you can post a few lines of (sanitized) sample data, people here will be better able to help. The docs have some good information too - take a look at http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps

mspiegel · ‎10-04-2010

This helped a lot, thank you. However, I'm still unable to search over time from the self-created timestamp that I tried to pass into my splunk log message. Any ideas?

Parse Log Messages

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!