I need to ingest audit logs from Atlassian Jira, Confluence, and Bitbucket. Most of that is pretty straight forward, but I am finding the Jira audit logs (atlassian-jira.log and atlassian-servicedesk.log) seem very random (sometimes fields are missing, occasionally a field will be long with multiple words and spaces with no fields or brackets).
Are there any TAs that can assist with parsing for on-prem Jira audit logs (atlassian-jira.log and atlassian-servicedesk.log)? Or any Splunk guidance I can give the Jira admin to help make logging better. So far they have told me they don't want to update their log4j properties files because it will just get overridden the next time they upgrade.
Thanks for your comment.
I have looked at that TA, but the props/transforms doesn't seem to have anything that could handle the logs I had mentioned..
It has line breaking (which matches) and very limited parsing for "extract_jira_issue" which just collects <key>:<value> (a pattern I am only seeing in about 25% of the "thread" fields), practically nothing else from a props/transforms standpoint.
You can try contacting the TA developer to see if a newer version is available that might help you. Another option is to use the TA as a guide for building your own add-on.