topic Extract Json with different log patterns? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Extract-Json-with-different-log-patterns/m-p/620911#M106968 <P>Hi My json logs comes with two different patterns one with timestamp and host added sometimes and one with out these extra fields , when i dont have extra timestamp and host the extractions work better , but for the events with timestamp and host events are not breaking properly&nbsp;</P> <P>Type 1 Logs&nbsp;</P> <P><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Component</SPAN>:<SPAN>&nbsp;xxxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Data</SPAN>:</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Description</SPAN>:<SPAN>&nbsp;xxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Message</SPAN>:<SPAN>&nbsp;xxxxx</SPAN></SPAN></P> <P><SPAN class=""><SPAN class="">Accessed URL: xxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Originator</SPAN>:<SPAN>&nbsp;xxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Target</SPAN>:<SPAN>&nbsp;xxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">appName</SPAN>:<SPAN>&nbsp;xxxxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;</SPAN><SPAN>&nbsp;</SPAN><SPAN class=""><SPAN class="">subTarget</SPAN>:<SPAN>&nbsp;XYZ</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">timeStamp</SPAN>:<SPAN>&nbsp;</SPAN><SPAN class="">1668522719915</SPAN></SPAN></P> <P>Type 2 Logs :</P> <P><SPAN>Nov 15 15:31:58 ics021013230.ics-eu-1.asml.com</SPAN><SPAN> {"</SPAN><SPAN>appName</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN> "XXXXXXX</SPAN><SPAN>","</SPAN><SPAN>Component</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"XXXXX</SPAN><SPAN>","</SPAN><SPAN>timeStamp</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"</SPAN><SPAN>1668522718900</SPAN><SPAN>","</SPAN><SPAN>eventId</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"</SPAN><SPAN>2e0525</SPAN><SPAN>","</SPAN><SPAN>Description</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"XXXX</SPAN><SPAN>&nbsp;Gateway: YYYYY&nbsp;</SPAN><SPAN>","</SPAN><SPAN>Originator</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"xxxxxx</SPAN><SPAN>","</SPAN><SPAN>Target</SPAN><SPAN>":xxxxx</SPAN><SPAN>","</SPAN><SPAN>subTarget</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"xxxxx"</SPAN></P> Tue, 15 Nov 2022 16:16:36 GMT deepthi5 2022-11-15T16:16:36Z Extract Json with different log patterns? https://community.splunk.com/t5/Getting-Data-In/Extract-Json-with-different-log-patterns/m-p/620911#M106968 <P>Hi My json logs comes with two different patterns one with timestamp and host added sometimes and one with out these extra fields , when i dont have extra timestamp and host the extractions work better , but for the events with timestamp and host events are not breaking properly&nbsp;</P> <P>Type 1 Logs&nbsp;</P> <P><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Component</SPAN>:<SPAN>&nbsp;xxxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Data</SPAN>:</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Description</SPAN>:<SPAN>&nbsp;xxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Message</SPAN>:<SPAN>&nbsp;xxxxx</SPAN></SPAN></P> <P><SPAN class=""><SPAN class="">Accessed URL: xxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Originator</SPAN>:<SPAN>&nbsp;xxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">Target</SPAN>:<SPAN>&nbsp;xxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">appName</SPAN>:<SPAN>&nbsp;xxxxxx</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;</SPAN><SPAN>&nbsp;</SPAN><SPAN class=""><SPAN class="">subTarget</SPAN>:<SPAN>&nbsp;XYZ</SPAN></SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><SPAN class="">timeStamp</SPAN>:<SPAN>&nbsp;</SPAN><SPAN class="">1668522719915</SPAN></SPAN></P> <P>Type 2 Logs :</P> <P><SPAN>Nov 15 15:31:58 ics021013230.ics-eu-1.asml.com</SPAN><SPAN> {"</SPAN><SPAN>appName</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN> "XXXXXXX</SPAN><SPAN>","</SPAN><SPAN>Component</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"XXXXX</SPAN><SPAN>","</SPAN><SPAN>timeStamp</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"</SPAN><SPAN>1668522718900</SPAN><SPAN>","</SPAN><SPAN>eventId</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"</SPAN><SPAN>2e0525</SPAN><SPAN>","</SPAN><SPAN>Description</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"XXXX</SPAN><SPAN>&nbsp;Gateway: YYYYY&nbsp;</SPAN><SPAN>","</SPAN><SPAN>Originator</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"xxxxxx</SPAN><SPAN>","</SPAN><SPAN>Target</SPAN><SPAN>":xxxxx</SPAN><SPAN>","</SPAN><SPAN>subTarget</SPAN><SPAN>"</SPAN><SPAN>:</SPAN><SPAN>"xxxxx"</SPAN></P> Tue, 15 Nov 2022 16:16:36 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-Json-with-different-log-patterns/m-p/620911#M106968 deepthi5 2022-11-15T16:16:36Z Re: Extract Json with different log patterns https://community.splunk.com/t5/Getting-Data-In/Extract-Json-with-different-log-patterns/m-p/620913#M106969 <P>What are the props.conf settings for those two sourcetypes?&nbsp; They're very different so they should be separate sourcetypes.&nbsp; Also, the "Type 1" logs are not JSON.</P> Tue, 15 Nov 2022 14:48:02 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-Json-with-different-log-patterns/m-p/620913#M106969 richgalloway 2022-11-15T14:48:02Z