How to ingest db logs into splunk? I need only logs to be Warning , Error , Critical , ORA-* logs. any sample prop changes would be appreciated

Question

I have the host details list and log directories. Keywords I need to get log for to be ingested into splunk on the below list Warning , Error , Critical , ORA-* logs

Answer 1

Trying to break this into the main steps. Maybe some of the steps have already been followed but just scroll through.

1. The host will need to have the Universal Forwarder installed and sending data to your indexing tier.

2. You will need to create an app on the forwarder and add an inputs.conf $SPLUNK_HOME$/etc/apps/your_app/local/inputs.conf

[monitor:///var/log/my_app/oracle.log]
disabled = 0
index = oracle
sourcetype = your_sourcetype

3. On the indexer you'll need an app to filter only the log lines you need. Place the props/transforms files in a similarly named app

$SPLUNK_HOME$/etc/apps/your_app/local/props.conf
$SPLUNK_HOME$/etc/apps/your_app/local/transforms.conf

props.conf

[your_sourcetype]
TRANSFORMS-set = setnull, setparsing

transforms.conf

# This sends all events to be ignored
[setnull] 
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

# this says ignore all events, except the ones containing ERROR
[setparsing]
REGEX = Error|Warning|ORA-\d{0,5}|Critical
DEST_KEY = queue
FORMAT = indexQueue

[your_sourcetype1]
TRANSFORMS-set = setnull, setparsing

[your_souretype2]
TRANSFORMS-set = setnull, setparsing

4. Last but not least, don't forget to restart splunk on both forwarder and indexer