Michael Wilde replied to Nikita's discussion Count failures and success via transactionI have a situation where I need to combine events from an older version of an application with a newer one, while both are live in production.
The newer version produces Windows Event log events in plain text, and everything works like a champ.
The older version produces Windows Event log events in XML, so the event looks like:
01/21/10 10:07:06 AM
LogName=Application
SourceName=APP-XXXXXXX
EventCode=0
EventType=1
Type=Error
ComputerName=XXXXXXXXXX
Category=0
CategoryString=none
RecordNumber=15920
Message=<Exception timestamp="01/21/2010 10:07:06" type="xxxxx.xxxxx.ExceptionUtilityValidationUnexpectedType" message="Object "System.Int32" does not support type "xxxxxx.xxxxx.Xml.Type.IXmlType"" source="xxxxxx.xxxxx" machineName="xxxxxxxxx" applicationDomainName="IsolatedAppDomainHost:xxxxxxxxxxxxxxx.dll" lastRethrowFrameIndex="0" lastRethrowFrameIndexAction=""><StackTrace><Frame exceptionType="xxxxxx.xxxxxx.ExceptionUtilityValidationUnexpectedType" declaringType="xxxxxx.xxxxxx.Validation" method="CheckExpectedType" fileName="xxxxxxxxxxxxxxx.cs" lineNumber="327" /></StackTrace></Exception>
I would rather not have the users performing searches be concerned with if
the event contains xml or not in the message. I was wondering if there was a
way to reformat the Message to remove the XML as it’s consumed by splunk, so
the event will look something like the following when it’s indexed:
01/21/10 10:07:06 AM
LogName=Application
SourceName=APP-XXXXXXX
EventCode=0
EventType=1
Type=Error
ComputerName=XXXXXXXXXX
Category=0
CategoryString=none
RecordNumber=15920
Message=Exception type="xxxxx.xxxxx.ExceptionUtilityValidationUnexpectedType" message="Object "System.Int32" does not support type "xxxxxx.xxxxx.Xml.Type.IXmlType"" source="xxxxxx.xxxxx" machineName="xxxxxxxxx" applicationDomainName="IsolatedAppDomainHost:xxxxxxxxxxxxxxx.dll" lastRethrowFrameIndex="0" lastRethrowFrameIndexAction=""
exceptionType="xxxxxx.xxxxxx.ExceptionUtilityValidationUnexpectedType" declaringType="xxxxxx.xxxxxx.Validation" method="CheckExpectedType" fileName="xxxxxxxxxxxxxxx.cs" lineNumber="327"
I was heading down the path of adding the following into transforms.conf:
[reformat_message]
REGEX = «some crazy regex that I haven’t figured out yet»
FORMAT = .
DEST_KEY = MetaData:Message (I’m not sure if that is correct)
Then updating the inputs.conf to the following:
[WinEventLog:Application]
TRANSFORMS-changemessage = reformat_message
But I’m concerned I’m heading down a black hole and may end of breaking something else.
Thanks,
Tags:
Permalink Reply by Michael Wilde on January 26, 2010 at 10:23am
Permalink Reply by Atul Mistry on January 27, 2010 at 9:14am
Permalink Reply by Michael Wilde on January 27, 2010 at 1:51pm
Permalink Reply by Atul Mistry on January 28, 2010 at 4:34am
Permalink Reply by Michael Wilde on January 28, 2010 at 10:25am
Permalink Reply by Atul Mistry on January 29, 2010 at 7:17am
Permalink Reply by Michael Wilde on January 29, 2010 at 2:32pm © 2012 Created by Michael Wilde.
