I am a Splunk user (with no control of data collection) and have set up color coding for errors (red) warning etc in different colors. To do this, I had to categorize the data I could, but I can't believe that is how it should be done.
My understanding is that each type of source (Windows event logs, IIS logs, webshere java logs, etc) will have a forwarder that can be configured.
I have not seen any mention (in Splunk documentation and sites) that there are any STANDARD categories of messages such as "errors", "warnings" etc. This means either that there is none or that its so fundamental, it's assumed everyone knows this...
It would seem to me that the forwarder should be in charge of categorizing messages with event log messages being the easiest as the source is already categorized, but other files are not hard either. For example, an IIS response code of "500" is obviously an error (and 200 = good) as are events in standard error java logs. Others might need more configuration with regular expressions.
So basically, what I should be able to do is use the passed category to color code my messages as well as search for all errors categorized as "errors".
How is this normally handled?
↧