topic Re: Splunk App for Jenkins: Is there a way to treat each log as a single Splunk event without changing the .conf files? in All Apps and Add-ons

Splunk App for Jenkins: Is there a way to treat each log as a single Splunk event without changing the .conf files?

ss026381 — Mon, 06 Mar 2017 20:50:43 GMT

I am using Splunk App for Jenkins. I need to treat each build log as a single event in Splunk. Every time I get the data in Splunk, it breaks it on timestamp. Considering I do not have access to the conf files, is there an option in the app configuration to send the log file as a single event.

I found some answers: https://answers.splunk.com/answers/106075/each-file-as-one-single-splunk-event.html on this topic, but they all talk about changing in .conf file.

If I have to change in .conf file, I may ask admin to make this change but I don't know what change I have to make. Where would I use ((?!)) or ((*FAIL)) to achieve this? Do I have to make changes to prop.conf and input.conf? would that change has to go on Splunk server?

Re: Splunk App for Jenkins: Is there a way to treat each log as a single Splunk event without changing the .conf files?

txiao_splunk — Tue, 07 Mar 2017 09:02:55 GMT

If you only want to correlate the log text, have you tried

index=jenkins_artifact source="*/blah.log" | transaction source
index=jenkins_console source="*/job_name/console" | transaction source

If your log file is structure data and you don't splunk break it line by line, please try use misc_text as source type in the advance section

the text will be kept as single event until it exceeds 256KB or 200000 lines

256KB is the default "Max Events Batch Size" in Jenkins plugin advance section.
200000 is the misc_text source type limit, if want to overwrite this, you have to touch props.conf in Splunk

Note: It is only tested on latest Splunk version and Jenkins plugin version

Re: Splunk App for Jenkins: Is there a way to treat each log as a single Splunk event without changing the .conf files?

ss026381 — Tue, 07 Mar 2017 16:08:49 GMT

Thank you Txiao for the answer. First option worked for me but second option didn't work for me. Every time I select "Raw events supported" checked, I don't see any console log event in Splunk. Also when I choose custom source type in option, I still see detault source type (" text:jenkins") in Splunk

Re: Splunk App for Jenkins: Is there a way to treat each log as a single Splunk event without changing the .conf files?

ss026381 — Tue, 07 Mar 2017 19:24:50 GMT

So transaction command gives me what I want, But when I click on the event and try to open the source, it shows error. I guess it is expected because the transaction command can combine events from multiple sources into single event.

Right?