customize log event to splunk hec

splunkNewbie10 — Thu, 16 Sep 2021 23:15:10 GMT

I were able to send my application log to splunk via HTTP event using the splunk java logging library. But somehow the message doesn't look like what appears on my console. Did this happen because the console appender contains an encoder tag? If yes, is there a way for us to specify that inside of the splunk appender? I want splunk to display event exactly like what on my console.

I manually send an event to the index to create the view of what I want it to look like. This's the body content of my rest call to achieve the result in picture 1.

{"sourcetype": "httpevent", "index": "customeindex", "host": "optional-field", "event": "2021-09-15 17:07:58.483 [main] INFO org.springframework.boot.autoconfigure.logging.ConditionEvaluationReportLoggingListener.logMessage - Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.\r\n"}

what i want it to look like

But the below is what I got. All the information like logger, severity, threat and time are already included in the message so I don't want my app to send all that to splunk in the event.

the current data

<?xml version="1.0" encoding="UTF-8"?> <configuration> <include resource="org/springframework/boot/logging/logback/defaults.xml" /> <property name="defaultPattern" value="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger.%M - %msg%n"/> <property name="LogFilePath" value="${LogFilePath:-.}"/> <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender"> <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> <pattern>${defaultPattern}</pattern> </encoder> </appender> <Appender name="splunkAppender" class="com.splunk.logging.HttpEventCollectorLogbackAppender"> <url>https://random:8088</url> <token>132</token> <index>randomindex</index> <disableCertificateValidation>true</disableCertificateValidation> <host>${hostname}</host> <source>orchestrator</source> <sourcetype>json</sourcetype> <layout class="ch.qos.logback.classic.PatternLayout"> <pattern>${defaultPattern}</pattern> </layout> </Appender> <springProfile name="!local"> <root level="info"> <appender-ref ref="CONSOLE" /> <appender-ref ref="splunkAppender" /> </root> </springProfile> <springProfile name="local"> <root level="info"> <appender-ref ref="CONSOLE" /> <appender-ref ref="APPLICATION" /> </root> </springProfile> </configuration>

Re: customize log event to splunk hec

redg — Mon, 09 Jan 2023 02:58:00 GMT

Did you find a solution ?

i have the same need.

Re: customize log event to splunk hec

bodoTe — Tue, 20 Feb 2024 20:07:51 GMT

in you HEC appender you need to set '%msg' as the pattern, but NOT the one you use for the Console Appender (which is the 'defaultPattern')

topic Re: customize log event to splunk hec in Getting Data In

customize log event to splunk hec

Re: customize log event to splunk hec

Re: customize log event to splunk hec