Community:BreakingSourceCodeExample

From Splunk Wiki

Jump to: navigation, search

Suppose you want to shove all of your source code into Splunk, so you can search your code. By default Splunk will break unknown source types on timestamps. C++ and Java source types obviously do not have timestamps! You also don't want to process each source line as a separate event. Below is the configuration to have Splunk break events whenever a function closes. In Java and C++ this is generally done with a "}" near the beginning of a line. In C++ as the first character, generally, and Java within a few characters.

Step 1) In props.conf, let's tell Splunk that files that end in c, cc, cpp, cxx, etc., are C++ files; and that files that end in .java are java files. Note the four periods "....". The first 3 are an ellipse (...) saying match on anything to the left. The fourth period is the actual extension ".". Think of it as "..." + ".cpp" 

                                                                                                                                                                                                                                                                    
[source::....(c|cc|cpp|cs|cxx|h|hh|hpp|hxx)]                                                                                                                                                                                                                        
sourcetype = c++                                                                                                                                                                                                                                                    
                                                                                                                                                                                                                                                                    
[source::....(java)]                                                                                                                                                                                                                                                
sourcetype = java

Step 2) Still in props.conf, let's define the behavior of the source types c++ and java. 

##############################################################################                                                                                                                                                                                      
####### ADDS REASONABLY GOOD SUPPORT FOR C++ AND JAVA BY BREAKING FUNCTIONS,                                                                                                                                                                                        
####### CLASSES, STRUCTS INTO SEPARATE EVENTS                                                                                                                                                                                                                       
#######         -- david@splunk.com                                                                                                                                                                                                                                 
##############################################################################                                                                                                                                                                                      
                                                                                                                                                                                                                                                                    
[c++]                                                                                                                                                                                                                                                               
# -- break at end of functions, classes, and structs                                                                                                                                                                                                                
MUST_BREAK_AFTER = ^}                                                                                                                                                                                                                                               
BREAK_ONLY_BEFORE = gooblygook                                                                                                                                                                                                                                      
# -- allow insanely long functions                                                                                                                                                                                                                                  
MAX_EVENTS=4000                                                                                                                                                                                                                                                     
# no timestamps in line, use the file modification time
DATETIME_CONFIG = NONE                                                                                                                                                                                                                                              
CHECK_METHOD = modtime                                                                                                                                                                                                                                              
# don't learn what c++ files look like, we'll simply classify them by extension
LEARN_MODEL = false                                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                    
                                                                                                                                                                                                                                                                    
[java]                                                                                                                                                                                                                                                              
BREAK_ONLY_BEFORE = gooblygook                                                                                                                                                                                                                                      
#  break at end of classes or methods on level deep in class, assuming indented one tab or 4 spaces                                                                                                                                                                                                                           
MUST_BREAK_AFTER = ^(?:\t| {0,4})}                                                                                                                                                                                                                                  
# -- allow insanely long functions                                                                                                                                                                                                                                  
MAX_EVENTS=4000                                                                                                                                                                                                                                                     
# no timestamps in line, use the file modification time                                                                                                                                                                                                                                                
DATETIME_CONFIG = NONE                                                                                                                                                                                                                                              
CHECK_METHOD = modtime                                                                                                                                                                                                                                              
# don't learn what c++ files look like, we'll simply classify them by extension
LEARN_MODEL = false

The result of the below configuration is that all lines within a function, method, struct, and class, are put together as a single event.

You can then search for things like "what are my longest functions?": 

 
                 sourcetype=java | sort -linecount
Retrieved from "http://wiki.splunk.com/Community:BreakingSourceCodeExample"
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk