After installing Splunk and indexing logs, we upda...

danoconnl · ‎10-26-2016

So we got Splunk installed and started indexing our logs before changes were put in place to better integrate with Splunk. How do you handle field extractions from the time before the update and the time after the update?

skoelpin · ‎10-27-2016

We went through the same issue when we upgraded ATG and our Tomcat servers, the logging format changed which broke some of our fields, especially the JSESSION field. I ended up modifying the regular expression in each field to account for the old logging style and the new logging style, I used a | as an OR in the regex and put the new logging style first and the old logging style second to boost performance since I'll almost always be searching the new stuff first. I then tested the regex's performance and it was insignificant so I went this route and it's been working good for the past 6 months

Another approach is to create a new sourcetype and re-create your fields based on that new sourcetype. This will take longer and will require you to update the query in any dashboards, alerts, and anything else which used that field.

somesoni2 · ‎10-26-2016

Did the sourcetype changed OR just the log format?

danoconnl · ‎10-26-2016

just the log format

After installing Splunk and indexing logs, we updated configurations. How do we handle field extractions before and after the update?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases