Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk universal forwarder

vj5
New Member
‎06-25-2018 01:12 PM

Developers are sending a log in json format. But splunkforwarder is reading the log as single line text.
What migt the issue ?. Any help is appreciated.
Thanks in advance

Tags (1)
0 Karma
Reply

ddrillic
Ultra Champion
‎06-25-2018 02:06 PM

Try What are the requirements for a perfect Splunk JSON document?

You might need in props.conf -

INDEXED_EXTRACTIONS = json
category = Structured
0 Karma
Reply

vj5
New Member
‎06-25-2018 03:08 PM

@ddrillic and @amifath Thanks for you responses.

Now I am getting my log as
{ [-]
log: {someinformation of appication here {msg"a":"1","b":"2","c":"3","d":"4"
}

I want my log to be as below
{ [-]
log: {someinformation of appication here {msg-"a":"1","b":"2","c":"3","d":"4"}
}
msg-{
a:1
b:2
c:3
d:4
}

Devlopers are passing the log as json format but when it coming into splunk ui it is converting into invalid JSON.

0 Karma
Reply

amiftah
Communicator
‎06-25-2018 01:52 PM

If you mean one event by single line text and your json file has one node then it's normal to have that result, try to use spath command to extract more fields:
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Spath

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...