Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When collecting logs through syslog, why does it comes in json format?

guerrillalds
Engager
‎11-30-2022 08:41 PM

EPP: {"syslog_type":"AGENT_EVENT", "syslog_data":{"log_string_args":null,"computer_name":"F0-P-N0017","login_id":"POO10","client_time":{"$date ":"2022-10-01T04:31:03.752Z"},"log_string_id":"EPPAGENT_LOGID_11002","user_name":"ppart","data_uuid":"35a5e74d-c4ad-4f25-ba9f-830c6-WINDOWS", "유형":"11000"}}

필드 추출이 잘 안되는데 어떻게 해야 하나요?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-01-2022 10:30 PM

@PickleRickis correct; the correct form of question should be "... but it does not come in JSON form." I am not familiar with syslog in (quasi-)JSON form. If your system admin cannot configure collector in truly conformant JSON form, you should use forwarder to mangle the input before forwarding.

The first string "EPP:" outside of the {} block violates JSON, even though the {} block is perfectly conformant. I assume that EPP is just one level of logs. The question then is: Does the source issue other levels of logs? If not, you can simply ask the forwarder to strip "EDD:" from the raw event. If you must preserve log level, you can ask the forwarder to add appropriate wraps to these events, e.g., the sample you posted should be modified to conformant form

{"EPP": {"syslog_type":"AGENT_EVENT", "syslog_data":{"log_string_args":null,"computer_name":"F0-P-N0017","login_id":"POO10","client_time":{"$date ":"2022-10-01T04:31:03.752Z"},"log_string_id":"EPPAGENT_LOGID_11002","user_name":"ppart","data_uuid":"35a5e74d-c4ad-4f25-ba9f-830c6-WINDOWS", "유형":"11000"}}}

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎12-01-2022 05:43 AM

I assume that you meant index-time extraction because Splunk can handle JSON at search time; JSON field extraction at search time is automatic. (Or you can use spath in search window.)

But first, you want to decide whether it is absolutely necessary to extract custom fields at index time. From Create custom fields at index time:

Unless absolutely necessary, do not add custom fields to the set of default fields that Splunk software automatically extracts and indexes at index time... Adding to this list of fields decreases performance, as each indexed field increases the size of the searchable index.

If you really need to do it at index time, ask your system admin to change to plain text can be one option. Depending on which field(s) you want to extract, using regex on JSON can be attempted, but it is not very robust.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-01-2022 06:32 AM

Unfortunately, automatic json extraction works only if the whole event is a properly formatted json (unless something changed in 9.0 but I don't recall anything like that).

So if you have an event delivered as, for example: "<PRIO>Date host whatever {json data}" - which is quite typical for syslog delivered logs - it will _not_ get automatically extracted unless you cut the whole header and index only the json portion.

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-01-2022 10:30 PM

@PickleRickis correct; the correct form of question should be "... but it does not come in JSON form." I am not familiar with syslog in (quasi-)JSON form. If your system admin cannot configure collector in truly conformant JSON form, you should use forwarder to mangle the input before forwarding.

The first string "EPP:" outside of the {} block violates JSON, even though the {} block is perfectly conformant. I assume that EPP is just one level of logs. The question then is: Does the source issue other levels of logs? If not, you can simply ask the forwarder to strip "EDD:" from the raw event. If you must preserve log level, you can ask the forwarder to add appropriate wraps to these events, e.g., the sample you posted should be modified to conformant form

{"EPP": {"syslog_type":"AGENT_EVENT", "syslog_data":{"log_string_args":null,"computer_name":"F0-P-N0017","login_id":"POO10","client_time":{"$date ":"2022-10-01T04:31:03.752Z"},"log_string_id":"EPPAGENT_LOGID_11002","user_name":"ppart","data_uuid":"35a5e74d-c4ad-4f25-ba9f-830c6-WINDOWS", "유형":"11000"}}}

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-02-2022 12:26 AM

There are some solutions which push json events via syslog. One of them I use myself on my laptop 🙂 - NXLog exporting windows EventLog events packed in json. Luckily I don't need to ingest those into Splunk but I only save them to disk for archiving.

But on the other hand - there are solutions which send properly formated json structures via "syslog transport" - my example here is rsyslog's internal stats generated by impstats module.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...