Getting Data In

customize log event to splunk hec

splunkNewbie10
New Member

I were able to send my application log to splunk via HTTP event using the splunk java logging library. But somehow the message doesn't look like what appears on my console. Did this happen because the console appender contains an encoder tag? If yes, is there a way for us to specify that inside of the splunk appender? I want splunk to display event exactly like what on my console. 

I manually send an event to the index to create the view of what I want it to look like. This's the body content of my rest call to achieve the result in picture 1. 

{"sourcetype""httpevent""index""customeindex""host""optional-field""event""2021-09-15 17:07:58.483 [main] INFO  org.springframework.boot.autoconfigure.logging.ConditionEvaluationReportLoggingListener.logMessage - Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.\r\n"}

 what i want it to look likewhat i want it to look like

But the below is what I got. All the information like logger, severity, threat and time are already included in the message so I don't want my app to send all that to splunk in the event. 

the current datathe current data

 

 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<include resource="org/springframework/boot/logging/logback/defaults.xml" />

	<property name="defaultPattern" value="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger.%M - %msg%n"/>
	<property name="LogFilePath" value="${LogFilePath:-.}"/>
	

	<appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
		<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
			<pattern>${defaultPattern}</pattern>
		</encoder>
	</appender>
	
	<Appender name="splunkAppender" class="com.splunk.logging.HttpEventCollectorLogbackAppender">
        <url>https://random:8088</url>
        <token>132</token>
        <index>randomindex</index>
        <disableCertificateValidation>true</disableCertificateValidation>
        <host>${hostname}</host>
        <source>orchestrator</source>
        <sourcetype>json</sourcetype>
        <layout class="ch.qos.logback.classic.PatternLayout">
            <pattern>${defaultPattern}</pattern>
        </layout>
    </Appender>
    
    
    <springProfile name="!local">
    	<root level="info">
			<appender-ref ref="CONSOLE" />
			<appender-ref ref="splunkAppender" />
		</root>
	</springProfile>

	 <springProfile name="local">
    	<root level="info">
			<appender-ref ref="CONSOLE" />
			<appender-ref ref="APPLICATION" />
		</root>
	</springProfile>
</configuration>

 

 

 

Labels (1)
0 Karma

bodoTe
New Member

 

 

<layout class="ch.qos.logback.classic.PatternLayout">
            <pattern>%msg</pattern>
        </layout>

 

in you HEC appender you need to set '%msg' as the pattern, but NOT the one you use for the Console Appender (which is the 'defaultPattern')

0 Karma

redg
Loves-to-Learn

Did you find a solution ? 

i have the same need. 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...