Re: splunk universal forwarder

vj5 · ‎05-31-2018

Hi,

My use case is:

I am using splunk universal forwarder to forward logs. And I am able to send the logs to Splunk. I would like to parse the logs by breaking them into multiple lines as below

Now I am getting my log as
{ [-]
log: {someinformation of appication here {msg"a":"1","b":"2","c":"3","d":"4"
}

I want my log to be appear as
so i want to extract the field so that it should appear as below in the splunk ui

{ [-]
log: {someinformation of appication here {msg-"a":"1","b":"2","c":"3","d":"4"}
}
msg-{
a:1
b:2
c:3
d:4
}

I am adding below lines in props.conf

[kubernetes]
CHARSET=UTF-8
SHOULD_LINEMERGE=false
NO_BINARY_CHECK = true
# remove docker json wrapper, then remove escapes from the quotes in the log message.
SEDCMD-1_unjsonify = s/{"log":"(?:\u[0-9]+)?(.?)\n","stream./\1/g
SEDCMD-2_unescapequotes = s/\"/"/g
# another exprimental version of the sed.
#SEDCMD-1_unjsonify = s/{"log":"(?:\u[0-9]+)?(.)\n","stream.?([\n\r])/\1\2/g
category = Custom
disabled = false
pulldown_type = true
TRUNCATE=150000
TZ=UTC

Any help is appreciated.

Thanks.

poete · ‎06-01-2018

Hello,

as I understand, you did not define any field extraction or precise sourcetype.

Please have a look at:
https://docs.splunk.com/Documentation/SplunkCloud/7.0.3/Data/Whysourcetypesmatter
and
http://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/ExtractfieldsinteractivelywithIFX

vj5 · ‎06-01-2018

Thanks for your response. I did mention the sourcetype. Where should I mention the field extractor ?

splunk universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation