Share This:

After you’ve enabled log forwarding, and you’ve identified your critical events needing to be captured, the next phase is to use the Splunk application to extract usable fields so you can sort, report, search on.  This is a quick summary on how to extract some basic fields from the armonitor.log (which is used to monitor the Remedy server processes, including AR System Server). This assumes that you’ve set up Forwarding and Collecting Data from the previous article.

 

Configuring Source Types

 

1. Log into the Splunk Enterprise Administration Console


2. Click “Settings -> Source Type” to open the “Source Type” console.


3. Click on the Source type that was created with the Add Data Wizard.  In this case it was “AR Monitor Log”.


4. In the Edit Source Type console, you’ll want to configure a few items, which include event breaks, gathering time stamps, and the categories.  Select the Category as needed and if you need any Indexed Extractions.


5. Event Breaks are the first option that will need to be selected.  You can choose either Every Line or Regex, based on your requirements.


6. The next thing to configure is the Timestamps.  It is recommended that you set the timestamp configuration to “Advanced” and configure it as below.

Timezone

Set to AR System Server Time Zone

Timestamp Format

%a %b %d %Y %H:%M:%S.%Q

Timestamp Prefix

/.

Lookahead

180

7. Once that has been configured, you can click “Save”.  This has Configured the source type so it will start to parse the logs correctly.

 

 

Configuring Field Extractions

 

1. To configure field extractions click “Settings -> Fields” to open the “Fields” console.


2. Then click “Field extractions” to view and edit field extractions.


3. Click “New Field Extraction” in the top right-hand corner to open up the New Field Extraction wizard.


4. You can now configure the extraction how you’d like, for this example we’re going to create the extraction in the “Search” application, give it a name of “AR Monitor Extraction” and apply it to the REM 1908 Source.  This would be considered a “inline” extraction.  Then you’ll need to put in your expression to extract the fields. See below for a example expression to extract AR Monitor logs.

<(?P<Type>\w+)> <TNAME: (?P<Thread>[^>]*)\s*> <(?P<LogLevel>\w+)\s*> <(?P<Class>[^>]*)> <\s*(?P<ClassLine>[^>]*)> .................................... (?P<Details>.*)

5. Once you’ve configured this, Save the new extraction.  You can now modify the permissions as needed, contact your Splunk Admin if you have questions about permission.  Once you’ve done this, you should be able to open up a search and start reviewing the index created earlier to view the data needed.

 

 

Once you’ve been able to perform these actions, you can start creating Dashboards, Alerts, and other Splunk activities.  If you need help with this, then please contact your Splunk Admin for more information.  If for any reason the Splunk Server is not working, please contact Splunk as this is their application.  BMC will not provide support for this product and this documentation is provided AS IS, as a courtesy.