Re: Splunk universal forwarder

vj5 · ‎06-25-2018

Developers are sending a log in json format. But splunkforwarder is reading the log as single line text.
What migt the issue ?. Any help is appreciated.
Thanks in advance

ddrillic · ‎06-25-2018

Try What are the requirements for a perfect Splunk JSON document?

You might need in props.conf -

INDEXED_EXTRACTIONS = json
category = Structured

vj5 · ‎06-25-2018

@ddrillic and @amifath Thanks for you responses.

Now I am getting my log as
{ [-]
log: {someinformation of appication here {msg"a":"1","b":"2","c":"3","d":"4"
}

I want my log to be as below
{ [-]
log: {someinformation of appication here {msg-"a":"1","b":"2","c":"3","d":"4"}
}
msg-{
a:1
b:2
c:3
d:4
}

Devlopers are passing the log as json format but when it coming into splunk ui it is converting into invalid JSON.

amiftah · ‎06-25-2018

If you mean one event by single line text and your json file has one node then it's normal to have that result, try to use spath command to extract more fields:
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Spath

Splunk universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation