https://community.splunk.com/t5/Getting-Data-In/Sending-rsyslog-JSON-format/m-p/271897#M52243 <P>my application is using rsyslog to write logs, so anyway i need to find way to change the log format because it's not standard JSON.</P> <P>rsyslog default fromat is TIMESTAMP HOSTNAME APP MSG</P> <P>so we solved this issue by creating new template at syslog without timestamp,hostname,application (in other words - just JSON messages) </P> <P>By adding at /etc/rsyslog.d/mysqpplication.conf: <BR /> $template MyTemplate,"%msg%\n"<BR /> :programname, isequal, "MYSQPP" @10.0.100.220:555;MyTemplate</P> <P>And add to /opt/splunk/etc/system/local/props.conf<BR /> [MyApp]<BR /> pulldown_type = true<BR /> INDEXED_EXTRACTIONS = json<BR /> KV_MODE = JSON<BR /> category = Structured<BR /> description = MyApp</P> Tue, 29 Sep 2020 07:33:58 GMT shaharl 2020-09-29T07:33:58Z https://community.splunk.com/t5/Getting-Data-In/Sending-rsyslog-JSON-format/m-p/271894#M52240 <P>Hello,</P> <P>I have tried today to integrate Splunk with Rsyslog that Contains JSON.<BR /> The issue is that rsyslog is sending the information with timestamp, hostname, and application name before the JSON message that my application made.</P> Tue, 13 Oct 2015 21:38:41 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-rsyslog-JSON-format/m-p/271894#M52240 shaharl 2015-10-13T21:38:41Z https://community.splunk.com/t5/Getting-Data-In/Sending-rsyslog-JSON-format/m-p/271895#M52241 <P>Can you post some sample log entries?</P> Tue, 13 Oct 2015 21:55:02 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-rsyslog-JSON-format/m-p/271895#M52241 somesoni2 2015-10-13T21:55:02Z https://community.splunk.com/t5/Getting-Data-In/Sending-rsyslog-JSON-format/m-p/271896#M52242 <P>JSON and Syslog are different formats and dont particularly play well together due to the nature of the format of syslog. There are some custom rules you can compile for Rsyslog that will help with JSON. </P> <P>BUT.. since you're using Splunk, why are you trying to ingest these with rsyslog? Why not use a Splunk Universal Forwarder and ingest the JSON files directly into Splunk. Splunk understands JSON format with no problems..</P> Wed, 14 Oct 2015 04:57:42 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-rsyslog-JSON-format/m-p/271896#M52242 esix_splunk 2015-10-14T04:57:42Z https://community.splunk.com/t5/Getting-Data-In/Sending-rsyslog-JSON-format/m-p/271897#M52243 <P>my application is using rsyslog to write logs, so anyway i need to find way to change the log format because it's not standard JSON.</P> <P>rsyslog default fromat is TIMESTAMP HOSTNAME APP MSG</P> <P>so we solved this issue by creating new template at syslog without timestamp,hostname,application (in other words - just JSON messages) </P> <P>By adding at /etc/rsyslog.d/mysqpplication.conf: <BR /> $template MyTemplate,"%msg%\n"<BR /> :programname, isequal, "MYSQPP" @10.0.100.220:555;MyTemplate</P> <P>And add to /opt/splunk/etc/system/local/props.conf<BR /> [MyApp]<BR /> pulldown_type = true<BR /> INDEXED_EXTRACTIONS = json<BR /> KV_MODE = JSON<BR /> category = Structured<BR /> description = MyApp</P> Tue, 29 Sep 2020 07:33:58 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-rsyslog-JSON-format/m-p/271897#M52243 shaharl 2020-09-29T07:33:58Z https://community.splunk.com/t5/Getting-Data-In/Sending-rsyslog-JSON-format/m-p/271898#M52244 <P>I did this with a similar situation where a syslog header was added to the front of XML events. In <CODE>props.conf</CODE>, make a <CODE>LINE_BREAKER</CODE> setting for the sourcetype (or whatever) and add the regex for the syslog header, and end with the opening of your JSON (XML in my example):</P> <PRE>`[sam:xml] # Strips syslog header and makes events pure XML LINE_BREAKER = (\d\s\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}-\d{2}:\d{2}\s[\w_-]+\s[\w-_]+\s\d+\s-\s-\s) SHOULD_LINEMERGE = false`</PRE> <P>Obviously, your regex will vary. Post a sample event if you need help with the regex.</P> Wed, 14 Oct 2015 12:42:13 GMT https://community.splunk.com/t5/Getting-Data-In/Sending-rsyslog-JSON-format/m-p/271898#M52244 stmyers7941 2015-10-14T12:42:13Z