All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for Jenkins: Is there a way to treat each log as a single Splunk event without changing the .conf files?

ss026381
Communicator
‎03-06-2017 12:50 PM

I am using Splunk App for Jenkins. I need to treat each build log as a single event in Splunk. Every time I get the data in Splunk, it breaks it on timestamp. Considering I do not have access to the conf files, is there an option in the app configuration to send the log file as a single event.

I found some answers: https://answers.splunk.com/answers/106075/each-file-as-one-single-splunk-event.html on this topic, but they all talk about changing in .conf file.

If I have to change in .conf file, I may ask admin to make this change but I don't know what change I have to make. Where would I use ((?!)) or ((*FAIL)) to achieve this? Do I have to make changes to prop.conf and input.conf? would that change has to go on Splunk server?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

txiao_splunk
Splunk Employee
Splunk Employee
‎03-07-2017 01:02 AM

If you only want to correlate the log text, have you tried 

index=jenkins_artifact source="*/blah.log" | transaction source
index=jenkins_console source="*/job_name/console" | transaction source

If your log file is structure data and you don't splunk break it line by line, please try use misc_text as source type in the advance section

alt text

the text will be kept as single event until it exceeds 256KB or 200000 lines

256KB is the default "Max Events Batch Size" in Jenkins plugin advance section.
200000 is the misc_text source type limit, if want to overwrite this, you have to touch props.conf in Splunk

Note: It is only tested on latest Splunk version and Jenkins plugin version

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

txiao_splunk
Splunk Employee
Splunk Employee
‎03-07-2017 01:02 AM

If you only want to correlate the log text, have you tried 

index=jenkins_artifact source="*/blah.log" | transaction source
index=jenkins_console source="*/job_name/console" | transaction source

If your log file is structure data and you don't splunk break it line by line, please try use misc_text as source type in the advance section

alt text

the text will be kept as single event until it exceeds 256KB or 200000 lines

256KB is the default "Max Events Batch Size" in Jenkins plugin advance section.
200000 is the misc_text source type limit, if want to overwrite this, you have to touch props.conf in Splunk

Note: It is only tested on latest Splunk version and Jenkins plugin version

Preview file
1 KB
Reply
Solved! Jump to solution

ss026381
Communicator
‎03-07-2017 11:24 AM

So transaction command gives me what I want, But when I click on the event and try to open the source, it shows error. I guess it is expected because the transaction command can combine events from multiple sources into single event.

Right?

0 Karma
Reply
Solved! Jump to solution

ss026381
Communicator
‎03-07-2017 08:08 AM

Thank you Txiao for the answer. First option worked for me but second option didn't work for me. Every time I select "Raw events supported" checked, I don't see any console log event in Splunk. Also when I choose custom source type in option, I still see detault source type (" text:jenkins") in Splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...