Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Adding FixEdge.log into Splunk

 


  • You need to log in either at http://localhost:8000 or http://splunkhostname:8000 Now you are at the home page.
  • Choose "Add data".
  • In the next page titled "Add data"  choose the link "A file or directory of files".
  • Click "next" under the option "Consume any file on this Splunk server".
  • Given you add FixEdge log for the first time, on the next page named "Data preview" choose "Preview data before indexing" and then either type the path to your log file or browse it through file dialog by clicking "Browse server" button:
  • Here you should choose the option "Start a new source type" and click "Continue".

...


Now you are in "Data preview" page. Green selection under the column "Event" shows that Splunk already tried to parse some formatted data. As you can see, it failed in the separating of FixEdge.log events because of their specific structure. That's why you should click the link "adjust timestamp and event break settings":

...

To do so return into "Events" sheet and click on black expansion arrow under column "i" on some event record and click "Extract Fields":

 


As an example let's break event record into several fields. To do so we need extract each field from a raw record through some regex. We just type field names in Splunk supported format (?<fieldname>), then Splunk adds that fields in its set. You can make them visible through selecting dialog by activating corresponding check boxes.

...

Click "Edit" button, then choose "Edit Source XML" from drop-down menu to open UI view source editor. By default Splunk manage dashboard layout in so-called "simple XML": 


Simple XML itself has only few options for adjustment and should be converted into "Advanced XML" for further customization.

...

[default]
host = EPRUSARW0664
[monitor://D:\B2BITS\FIXEdge\v.5.7.0.62202\FixEdge1\log\FixEdge.log]
disabled = false
followTail = 0
sourcetype = fix_edge_log 


Event break and field extraction expressions should be placed in file local\props.conf likewise:

...

Compress application folder into .tar.gz-archive with 7zip in Windows (tar in Linux).