Getting Data In

Need a help in writing correct parsing stanza specific to application log type.

Hemnaath
Motivator

Hi All, Need a help on the list of parsing stanza on props.conf based on the raw log taken from the source application.

Details:

MAX_TIMESTAMP_LOOKAHEAD =
SHOULD_LINEMERGE = false
TIME_PREFIX =
LINE_BREAKER =
TIME_FORMAT =

Raw data:

{"metadata":{"lastReview":"2019-07-26T11:30:00","contactDl":"dl-gedit-wxxxs-dev@xxx.com","vcs":{"type":"GITHUB","typeOther":null,"location":"https://github.ldn.xxxx.com/GED-Params/CommonAnalyticalService","contentType":["Application Code"],"operationEnvironment":null,"binaries":null,"largeFiles":null,"numberOfArtifacts":null,"entitlement":{"type":"xxx"}},"application":{"itamCodes":["AAxxx5"],"language":null,"datastores":null,"buildTool":["Maven"]},"issueTracker":null,"documentation":null,"codeAnalysis":null,"qualityAssurance":null,"artifact":null,"artifactRepository":null,"internal":{"tags":[],"location":"https://github.ldn.xxxx.com/GED-Params/CommonAnalyticalService/metadata.buildchain.xxx.yaml","batch"... Last Review date is not in the valid format of yyyy-MM-dd.","The Application datastores field is missing.","The Application languages field is missing.","The ArtifactRepository section is missing.","The ContinuousIntegration buildStepConfig field is missing.","The ContinuousIntegration buildOrchestrationConfig field is missing.","The ContinuousIntegration executionOfBuild field is missing.","The ContinuousIntegration entitlement field is missing.","The VCS binaries field is missing.","The VCS largeFiles field is missing.","The VCS numberOFArtifacts field is missing."]},"ci":{"ciInstances":[{"type":"TeamCity","uri":"https://flow-teamcity5.xxx.net/project.html?projectId=ged_params_Wxxxs","buildStepConfig":null,"buil...}
Show syntax highlighted

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Is this a single event or more than one?
Kindly identify the event timestamp.
What props.conf settings have you tried?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!