Re: Splunk universal forwarder

vj5 · ‎06-25-2018

Developers are sending a log in json format. But splunkforwarder is reading the log as single line text.
What migt the issue ?. Any help is appreciated.
Thanks in advance

ddrillic · ‎06-25-2018

Try What are the requirements for a perfect Splunk JSON document?

You might need in props.conf -

INDEXED_EXTRACTIONS = json
category = Structured

vj5 · ‎06-25-2018

@ddrillic and @amifath Thanks for you responses.

Now I am getting my log as
{ [-]
log: {someinformation of appication here {msg"a":"1","b":"2","c":"3","d":"4"
}

I want my log to be as below
{ [-]
log: {someinformation of appication here {msg-"a":"1","b":"2","c":"3","d":"4"}
}
msg-{
a:1
b:2
c:3
d:4
}

Devlopers are passing the log as json format but when it coming into splunk ui it is converting into invalid JSON.

amiftah · ‎06-25-2018

If you mean one event by single line text and your json file has one node then it's normal to have that result, try to use spath command to extract more fields:
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Spath

Splunk universal forwarder

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Join the Conversation

Splunk universal forwarder

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?