Splunk is not correctly splitting Syslog and JSON ...

daniel_splunk · ‎04-28-2017

We are experiencing issues with various logging sources where messages are not being correctly split by new line and therefore are resulting in a linecount of greater than 1. This is being experienced for our indexes security-apigw (syslog) and security-carbonblack (json).

I updated the props.conf to incude the following. However, some of the event still not split correctly.
SHOULD_LINEMERGE = false
LINE_BREAKER = }}([\r\n]+)

daniel_splunk · ‎04-28-2017

The “INDEXED_EXTRACTION” came out in 6.x changes a few things on how Splunk works. Its used for well known log sources (IIS, JSON, XML) to have their fields parsed out by the forwarder, moving the work from the indexer to the forwarder.

So you need to install those props on the forwarder, not the indexer. When INDEXED_EXTRACTIONs is enabled, it will pass the parsed fields into the indexers. The indexers will not apply any parsing rules for data that was processed as INDEXED_EXTRACTIONs.

You can add the following into your forwarder configuration.

props.conf
[carbonblack:json]
INDEXED_EXTRACTIONS=json

Here is the doc for more information.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Extractfieldsfromfileswithstructureddata

Splunk is not correctly splitting Syslog and JSON messages by new line

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...