Importing rsyslog json as metrics

krunoslav — Mon, 20 Jan 2020 17:33:31 GMT

Hi everyone,

I'm trying to import the following type of log data as metrics (extract shown):

Nov 14 03:23:42 hostname rsyslogd-pstats:{ "name": "global", "origin": "dynstats", "values": { } }
Nov 14 03:23:42 hostname rsyslogd-pstats:{ "name": "imuxsock", "origin": "imuxsock", "submitted": 0, "ratelimit.discarded": 0, "ratelimit.numratelimiters": 0 }
Nov 14 03:23:42 hostname rsyslogd-pstats:{ "name": "action 0", "origin": "core.action", "processed": 50996, "failed": 0, "suspended": 0, "suspended.duration": 0, "resumed": 0 }
Nov 14 03:23:42 hostname rsyslogd-pstats:{ "name": "action 1", "origin": "core.action", "processed": 50996, "failed": 0, "suspended": 0, "suspended.duration": 0, "resumed": 0 }

The entry in props.conf looks like this:

[t_json_test_m]
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 15
NO_BINARY_CHECK = true
TIME_FORMAT = %b %d %T
SEDCMD-strip = s/^[^\{]+//
METRIC-SCHEMA-TRANSFORMS = metric-schema:t_json_test_m_1579526919489
SHOULD_LINEMERGE = false
category = Log to Metrics
disabled = false
AUTO_KV_JSON = false
KV_MODE = none
INDEXED_EXTRACTIONS = json

And the corresponding entry in transforms.conf is:

[metric-schema:t_json_test_m_1579526919489]
METRIC-SCHEMA-MEASURES = _ALLNUMS_

However, when I add the data to a metrics index, I see nothing. I got no messages from Splunk in the GUI, but I saw a JSON parsing error in the _internal index (01-20-2020 16:59:43.458 +0100 ERROR JsonLineBreaker - JSON StreamId:0 had parsing error:Unexpected character while looking for value: 'N'...). But, when I remove the metrics part from the config and index the file to a normal index, I can see the data. Any clues? I tried to follow the guidelines at https://docs.splunk.com/Documentation/Splunk/8.0.0/Metrics/L2MSplunkWeb. My Splunk version is 8.0.1 and I'm doing all this on a single machine. Thanks.

topic Importing rsyslog json as metrics in Getting Data In

Importing rsyslog json as metrics