Archive
Highlighted

Splunk stops to index once added indexed extractions field

Engager

This is my monitor under the inputs.conf file:

[monitor:///var/lib/docker/containers/.../*.log]
disabled = false
sourcetype = containers
index = my_container

it doesn't that fine because the logs are not split correctly and hence it really hard read them.

I thought then to use the below config under props.conf:

[containers]
INDEXED_EXTRACTIONS = json

But once I add this configuration, it stops to report the Splunk. I don't see any logs.

Any suggestions?

Note that these configuration are set on a machine which run the Splunk Forwarder.

Tags (1)
0 Karma
Highlighted

Re: Splunk stops to index once added indexed extractions field

Champion

If you comment out the INDEXED_EXTRACTIONS line does indexing resume?

I notice your input references docker. There has been some discussion about docker logs on answers recently, and it seems they always put the JSON string after non-JSON text, like <date> Some text {"field": "value"} . If that's the case you may need to rewrite raw to allow JSON extractions to work (though I believe this `INDEXEDEXTRACTIONSoccurs prior to theTRANSFORMthat would rewrite _raw, so you may need to changeINDEXEDEXTRACTIONS = jsontoKVMODE = json`).

Refer to these previous answers posts for additional details on rewriting _raw for JSON:

https://answers.splunk.com/answers/608092/json-transformations-1.html
https://answers.splunk.com/answers/608048/i-would-like-to-index-and-make-the-kv-that-are-in.html?chi...

Highlighted

Re: Splunk stops to index once added indexed extractions field

Engager

I just had to move the configuration from where the Universal Forwarder run to the Splunk server

0 Karma