Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

customize log event to splunk hec

splunkNewbie10
New Member
‎09-16-2021 04:12 PM

I were able to send my application log to splunk via HTTP event using the splunk java logging library. But somehow the message doesn't look like what appears on my console. Did this happen because the console appender contains an encoder tag? If yes, is there a way for us to specify that inside of the splunk appender? I want splunk to display event exactly like what on my console. 

I manually send an event to the index to create the view of what I want it to look like. This's the body content of my rest call to achieve the result in picture 1. 

{"sourcetype""httpevent""index""customeindex""host""optional-field""event""2021-09-15 17:07:58.483 [main] INFO  org.springframework.boot.autoconfigure.logging.ConditionEvaluationReportLoggingListener.logMessage - Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.\r\n"}

 what i want it to look likewhat i want it to look like

But the below is what I got. All the information like logger, severity, threat and time are already included in the message so I don't want my app to send all that to splunk in the event. 

the current datathe current data

 

 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<include resource="org/springframework/boot/logging/logback/defaults.xml" />

	<property name="defaultPattern" value="%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger.%M - %msg%n"/>
	<property name="LogFilePath" value="${LogFilePath:-.}"/>
	

	<appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
		<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
			<pattern>${defaultPattern}</pattern>
		</encoder>
	</appender>
	
	<Appender name="splunkAppender" class="com.splunk.logging.HttpEventCollectorLogbackAppender">
        <url>https://random:8088</url>
        <token>132</token>
        <index>randomindex</index>
        <disableCertificateValidation>true</disableCertificateValidation>
        <host>${hostname}</host>
        <source>orchestrator</source>
        <sourcetype>json</sourcetype>
        <layout class="ch.qos.logback.classic.PatternLayout">
            <pattern>${defaultPattern}</pattern>
        </layout>
    </Appender>
    
    
    <springProfile name="!local">
    	<root level="info">
			<appender-ref ref="CONSOLE" />
			<appender-ref ref="splunkAppender" />
		</root>
	</springProfile>

	 <springProfile name="local">
    	<root level="info">
			<appender-ref ref="CONSOLE" />
			<appender-ref ref="APPLICATION" />
		</root>
	</springProfile>
</configuration>

 

 

 

Labels (1)
Labels
0 Karma
Reply

bodoTe
New Member
‎02-20-2024 12:06 PM

 

 

<layout class="ch.qos.logback.classic.PatternLayout">
            <pattern>%msg</pattern>
        </layout>

 

in you HEC appender you need to set '%msg' as the pattern, but NOT the one you use for the Console Appender (which is the 'defaultPattern')

0 Karma
Reply

redg
Loves-to-Learn
‎01-08-2023 06:58 PM

Did you find a solution ? 

i have the same need. 

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and stall ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Are you ready to uncover the threats hiding in plain sight? Join us for "Print, Leak, Repeat: UEBA Insider ...

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...