We're using Splunk's "javalogging" JAR to send events to Splunk from our Java-application directly. This works, but the event's JSON received by the server has only two fields: message and severity (plus the host, index, source, and sourcetype of course):
"message": "This is a test 20:41:34",
"host" = "myhost",
"source" = "mysource",
"sourcetype" = "logj4"
We'd like to add some others -- to help us identify the application and the application instance, et cætera. Can this be done via configuration file -- without recompiling the code?
I realize, we can use a pattern-layout to prepend the additional data to the message:
Ok, there are two options here, which can also be combined:
Set the includeMDC parameter to true and hope (or provide for), the MDC in your case contains all of the fields you need — they will be in the properties sub-dictionary of every logged event.
Set the messageFormat parameter to json -- and format your message to be in proper JSON itself:
The message field of the submitted event will then itself be a dictionary. In the above example, that sub-dictionary will contain two fields: cat and message. These can be searched for on Splunk-server as message.cat="meow".
I'd still like to be able to add additional fields next to the message and the severity, though -- not inside a sub-dictionary...