After you’ve enabled log forwarding, and you’ve identified your critical events needing to be captured, the next phase is to use the Splunk application to extract usable fields so you can sort, report, search on. This is a quick summary on how to extract some basic fields from the armonitor.log (which is used to monitor the Remedy server processes, including AR System Server). This assumes that you’ve set up Forwarding and Collecting Data from the previous article.
Configuring Source Types
1. Log into the Splunk Enterprise Administration Console
4. In the Edit Source Type console, you’ll want to configure a few items, which include event breaks, gathering time stamps, and the categories. Select the Category as needed and if you need any Indexed Extractions.
5. Event Breaks are the first option that will need to be selected. You can choose either Every Line or Regex, based on your requirements.
Set to AR System Server Time Zone
%a %b %d %Y %H:%M:%S.%Q
7. Once that has been configured, you can click “Save”. This has Configured the source type so it will start to parse the logs correctly.
Configuring Field Extractions
1. To configure field extractions click “Settings -> Fields” to open the “Fields” console.
4. You can now configure the extraction how you’d like, for this example we’re going to create the extraction in the “Search” application, give it a name of “AR Monitor Extraction” and apply it to the REM 1908 Source. This would be considered a “inline” extraction. Then you’ll need to put in your expression to extract the fields. See below for a example expression to extract AR Monitor logs.
<(?P<Type>\w+)> <TNAME: (?P<Thread>[^>]*)\s*> <(?P<LogLevel>\w+)\s*> <(?P<Class>[^>]*)> <\s*(?P<ClassLine>[^>]*)> .................................... (?P<Details>.*)
5. Once you’ve configured this, Save the new extraction. You can now modify the permissions as needed, contact your Splunk Admin if you have questions about permission. Once you’ve done this, you should be able to open up a search and start reviewing the index created earlier to view the data needed.
Once you’ve been able to perform these actions, you can start creating Dashboards, Alerts, and other Splunk activities. If you need help with this, then please contact your Splunk Admin for more information. If for any reason the Splunk Server is not working, please contact Splunk as this is their application. BMC will not provide support for this product and this documentation is provided AS IS, as a courtesy.