Solved: Add tag in splunk display for jboss class

catty · ‎09-26-2011

Can we add another tag display in splunk layout? like :
host=server.me.local | sourcetype=jboss_serverlog_apps | source=/opt/log/server.log | jbossclass=[this the adding tag]

my goal is, if i have some log like this[jboss log]:
2011-09-26 12:35:25,588 WARN org.jboss.resource.connectionmanager.TxConnectionManager Connection error occured:

we can select text where is insert the bracket "[]" into some tag. then the tag will displayed in splunk tag, after the source tag.

so the result like this:
host=server.me.local | sourcetype=jboss_serverlog_apps | source=/opt/log/server.log | jbossclass=org.jboss.resource.connectionmanager.TxConnectionManager

Its possible? greatly appreciate every reply. Thank yours for help.

Best regards,
Catty M.

Ayn · ‎09-26-2011

Absolutely!

Just create an extraction for the jbossclass field, for instance using the Interactive Field Extractor. Then, with the extraction for jbossclass done, it should show up in the field picker on the left in the Search app. Clicking the field name will give you a menu with a number options, among others "Select/show in results", which will give you the exact behaviour you're looking for.

View solution in original post

catty · ‎09-27-2011

yes you right Ayn. Thank you very much for your help, very helpful. This is my regex [(?P[^]]+)

FIXED.

catty · ‎09-26-2011

Thank you very much for your reply

I already try to use Example values like this:
[org.jboss.ejb3.interceptors.aop.InterceptorsFactory]
[com.testo.xchange.action.FolderSelector]
[org.jasig.cas.client.validation.Cas10TicketValidationFilter]

but the result is: The generated regex was unable to match all examples.

this is the sample log file:

2011-09-26 14:38:50,642 WARN org.jboss.ejb3.interceptors.aop.InterceptorsFactory EJBTHREE-1246: Do not use InterceptorsFactory with a ManagedObjectAdvisor, InterceptorRegistry should be used via the bean container

2011-09-26 14:38:50,333 INFO com.testo.xchange.action.FolderSelector set folder page to : maknyus_banget

2011-09-26 14:37:54,428 WARN org.jboss.ejb3.interceptors.aop.InterceptorsFactory EJBTHREE-1246: Do not use InterceptorsFactory with a ManagedObjectAdvisor, InterceptorRegistry should be used via the bean container

2011-09-26 14:35:35,332 INFO org.jasig.cas.client.validation.Cas10TicketValidationFilter Property [serverName] loaded from FilterConfig.getInitParameter with value [http://192.168.9.19:8080]

can you give me some sample to make select just insert the bracket or by colomn four for my case?

Ayn · ‎09-26-2011

Give Splunk enough different examples and it should finally be able to figure out a working regular expression for you. But, this regex might work for your case:

\[(?P<FIELDNAME>[^]]+\])\s*\(

Enter it in the text field that shows up when you click the "Edit" button in the field extractor. Then call the field what you want, like "jbossclass" for instance.

Ayn · ‎09-26-2011

Absolutely!

Just create an extraction for the jbossclass field, for instance using the Interactive Field Extractor. Then, with the extraction for jbossclass done, it should show up in the field picker on the left in the Search app. Clicking the field name will give you a menu with a number options, among others "Select/show in results", which will give you the exact behaviour you're looking for.

Add tag in splunk display for jboss class

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases