Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk to extract key value pairs with JSON log data from Http Event Collector?

ekst_andwii
New Member
‎10-03-2017 12:57 AM

We have started using the Http Event Collector (HEC) for logging directly from our Java apps. HEC takes data in JSON format but we have a lot of legacy code that logs key/value pairs and some searches/dashboards that utilize these. Data logged to HEC is by default indexed as the _json sourcetype and I have tried to configure this with KV_MODE=auto (for key/value) and json (for json-format) but none of these seem to trigger Splunk to index key/values. Example log statement:

logger.info("corrId=11-1111-566 aa=88");

However, I have not been able to search on the keys, e.g. search aa=88

The event looks like this:
alt text

Raw format: {"severity":"INFO","logger":"splunk.logger","thread":"main","message":"corrId=11-1111-566 aa=88"}

Any ideas?

Preview file
1 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2017 06:15 AM

Consider using transforms.

Put this is your props.conf stanza

TRANSFORMS-messageFields = messageFields

Then create this stanza in your transforms.conf file. It should create a field for each word on the left of each '=' in the event.

[messageFields]
REGEX = ([a-z]+)=([\w\-]+)
FORMAT = $1::$2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ekst_andwii
New Member
‎10-03-2017 07:04 AM

Thanks for the reply @richgalloway, however, I can not get this to work. First of all, I think there's a typo, should it not be TRANSFORMS-messageFields? I've added this to props.conf and transforms.conf but Splunk still does not index fields in the message element.

Also, I'm a bit skeptical to adding index-time extractions in the first place as this could have a big performance impact.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2017 09:27 AM

Yes, it should be TRANSFORMS. I've corrected my answer.
Once you change the config files you need to restart Splunk and then re-index the data as existing events will not be affected.
To do the same thing at search time try this:

<your base search> | rex field=message "corrId=(?<corrId>[^\s]+)\saa=(?<aa>[.*]?)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ekst_andwii
New Member
‎10-04-2017 03:42 AM

Still cannot get index-time extractions to work, search-time works.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-09-2017 11:42 AM

Given your concern about the performance of index-time extractions, search-time working is good, right?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ekst_andwii
New Member
‎10-16-2017 02:17 AM

Yes, but we want this to happen automatically through KV_MODE in props.conf. That's what we had before, without having to use rex and naming each field at search time.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...