All Apps and Add-ons

Splunk App for Jenkins: Is there a way to treat each log as a single Splunk event without changing the .conf files?

ss026381
Communicator

I am using Splunk App for Jenkins. I need to treat each build log as a single event in Splunk. Every time I get the data in Splunk, it breaks it on timestamp. Considering I do not have access to the conf files, is there an option in the app configuration to send the log file as a single event.

I found some answers: https://answers.splunk.com/answers/106075/each-file-as-one-single-splunk-event.html on this topic, but they all talk about changing in .conf file.

If I have to change in .conf file, I may ask admin to make this change but I don't know what change I have to make. Where would I use ((?!)) or ((*FAIL)) to achieve this? Do I have to make changes to prop.conf and input.conf? would that change has to go on Splunk server?

0 Karma
1 Solution

txiao_splunk
Splunk Employee
Splunk Employee

If you only want to correlate the log text, have you tried

index=jenkins_artifact source="*/blah.log" | transaction source
index=jenkins_console source="*/job_name/console" | transaction source

If your log file is structure data and you don't splunk break it line by line, please try use misc_text as source type in the advance section

alt text

the text will be kept as single event until it exceeds 256KB or 200000 lines

256KB is the default "Max Events Batch Size" in Jenkins plugin advance section.
200000 is the misc_text source type limit, if want to overwrite this, you have to touch props.conf in Splunk

Note: It is only tested on latest Splunk version and Jenkins plugin version

View solution in original post

txiao_splunk
Splunk Employee
Splunk Employee

If you only want to correlate the log text, have you tried

index=jenkins_artifact source="*/blah.log" | transaction source
index=jenkins_console source="*/job_name/console" | transaction source

If your log file is structure data and you don't splunk break it line by line, please try use misc_text as source type in the advance section

alt text

the text will be kept as single event until it exceeds 256KB or 200000 lines

256KB is the default "Max Events Batch Size" in Jenkins plugin advance section.
200000 is the misc_text source type limit, if want to overwrite this, you have to touch props.conf in Splunk

Note: It is only tested on latest Splunk version and Jenkins plugin version

View solution in original post

ss026381
Communicator

So transaction command gives me what I want, But when I click on the event and try to open the source, it shows error. I guess it is expected because the transaction command can combine events from multiple sources into single event.

Right?

0 Karma

ss026381
Communicator

Thank you Txiao for the answer. First option worked for me but second option didn't work for me. Every time I select "Raw events supported" checked, I don't see any console log event in Splunk. Also when I choose custom source type in option, I still see detault source type (" text:jenkins") in Splunk

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!