We're using Splunk's "javalogging" JAR to send events to Splunk from our Java-application directly. This works, but the event's JSON received by the server has only two fields: message
and severity
(plus the host
, index
, source
, and sourcetype
of course):
{
"event": {
"message": "This is a test 20:41:34",
"severity": "ERROR"
},
"host" = "myhost",
"source" = "mysource",
"sourcetype" = "logj4"
}
We'd like to add some others -- to help us identify the application and the application instance, et cætera. Can this be done via configuration file -- without recompiling the code?
I realize, we can use a pattern-layout to prepend the additional data to the message:
<param name="ConversionPattern" value="FIELD1=VALUE1 FIELD2=VALUE2 %m"/>
but then the extra fields would simply be part of the message
-- not separately-indexed fields of their own...
Ok, there are two options here, which can also be combined:
includeMDC
parameter to true
and hope (or provide for), the MDC in your case contains all of the fields you need — they will be in the properties
sub-dictionary of every logged event.Set the messageFormat
parameter to json
-- and format your message to be in proper JSON itself:
The message
field of the submitted event will then itself be a dictionary. In the above example, that sub-dictionary will contain two fields: cat
and message
. These can be searched for on Splunk-server as message.cat="meow"
.
I'd still like to be able to add additional fields next to the message
and the severity
, though -- not inside a sub-dictionary...