Sunday, December 16, 2012

Splunk pretrained data sources: weblogic_stdout

When you add new data, make sure you choose "manual" datasource type, and enter manually "weblogic_stdout" . I personally thing this was a very bad UI design decision.... ALWAYS explicitly display all the available choices in a UI, NOTHING should be entered manually.



see http://docs.splunk.com/Documentation/Splunk/latest/Data/Listofpretrainedsourcetypes

cd $SPLUNK_HOME/bin
./splunk btool props list weblogic_stdout


[weblogic_stdout]
ANNOTATE_PUNCT = True
BREAK_ONLY_BEFORE = ^####
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG = /etc/datetime.xml
HEADER_MODE =
KV_MODE = none
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 2048
MAX_TIMESTAMP_LOOKAHEAD = 32
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
REPORT-st = weblogic-code
REPORT-weblogic92 = wl-log-fields, wl-log-thread-fields
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = True
TRANSFORMS =
TRUNCATE = 10000
maxDist = 60





Posted by vernetto at 12:50 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)