Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

nxlog output (json in *.log) and Splunk

mazurmateusz
Engager
‎06-03-2015 07:35 AM

Hello,

Sysadmins set nxlog syslog to put event logs from windows to external directory.
The log format is 'json' with extension *.log
My question is how to properly import those data to splunk and index it.
Right now SPLUNK don't recognize all fields (like a EventType, EventID, Hostname etc.)

thanks in advance

Mateusz

0 Karma
Reply

mazurmateusz
Engager
‎06-08-2015 04:36 AM

Hello,

I made something like that:

Add to props.conf:

[Test_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = 1
pulldown_type = 1

and restart SPLUNK

After restart try to upload file *.log
1. go to settings upload
2. pickup file
3. upload
4. choose Test_json as a source type
And then i got preview error which information 'change source type'.

Do you have any suggestion what i made wrong?

Regards,
M.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-08-2015 06:57 AM

Before you use it, you need to define the sourcetype of Test_json by adding it to an inputs.conf file (or at the set sourcetype stage after Add Data when you use the GUI to do a New under Data Inputs -> Files & Directories, if you went that route).

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2015 08:58 AM

It should be straightforward, just tell splunk to get the *.log files with inputs.conf and then tell it about json like it says here:

http://answers.splunk.com/answers/148307/how-to-parse-and-extract-json-log-files-in-splunk.html

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...